Info below on being a data forensics examiner/ investigator / scientist

My first most treasured experience in this field was when the Cincinnati Detective Force came to the service bureau I worked at in 1997 and asked if they could put their best person on analyzing some digital stills… They were ATM photos of a bank robber who parked his car just out of clear view. I took the images of the car and re-constructed the anti-alias on the car’s license plates and two days later presented my report. A month went by when I learned my work was used as evidence and the criminals were apprehended; traced by my good work ! … others are recreating crash scenes to show the events of a car accident based on calculating velocities required to produce the effects of crash sites; and those animations were used in courts in Texas… I have since further ventured into the following …

Practical Cybersecurity with Malcolm Shore
win 8
raspberry pi hosts linux distribution
putty secure shell interface

notes on Practical Cyber Security

analyze and protect systems

1998 Robert Morris Christmas tree worm
legions of doom and master of deception
then Kevin mitnick

evolution of hackers

when banks became accessible etc. crime advanced as online society grew

cyber attacks used well organized business process

reconnaissance: trashing , phreaking, profiling targets, botnet port scanning, IP scam response check, etc.
weaponization: design of exploitability to a hone-in target,
delivery: email phishing, malware, bug/flaw holes, internal usb, ftp down, extranet file share, injection
establish a “beachhead” then
A TOOL is a WEAPON weather used to inflict harm or not.
exploitation: software to memory or on disk
installation:registry to autorun payload
command & control: operate long term
Action: hackivist motives, espionage, more cause-driven subversive goals
advanced persistent threat malware (APT), stealthy, can even rebuilt itself e.g. Stuxnet like in the movie blackhat
Iran operation Wiper became Flame one of the most spophisticated malware ever.
June 1 2012 NYTimes announceced the US developed Stuxnet and hacked Iran.

adware & spyware are PUPs Potentially Unwanted Programs.

Consider the evolution of not victory or defeat but since Eupoe designed subversion in early 19th century, its it is not focused on violence or counter-force and transcends into values of organizational insurgent disruption .

an infected computer can even be infected

identify vulnerabilities in networks and systems which might be exploited in a cyber attack. I’ll start by taking a look at the two most common security tools, Antivirus, and Firewalls. Then I’ll look at how hackers profile a network to check where systems are connected, what services are open, and what software is running.

I’ll use two popular tools, Nmap and Netcat. I’ll then demonstrate the Nessus and Vega scanners to check open services for vulnerabilities. Finally, I’ll use Wireshark Packet Capture Tool, to monitor and analyze the raw packets being sent across the network. When you finish this course, you’ll have a great understanding of how to profile and protect your network, how to check whether it could be compromised, and how to monitor the activity on it. So let’s get started with Practical Cybersecurity.

Robert Morris was one of the earliest hackers to mount a public attack, when in 1988 he released the Christmas Tree worm onto the internet. And caused over 6,000 computers to crash. He was charged and fined $10,000. Rather a lot in those days. Then, in 1990, two hacking groups, the Legion of Doom and the Masters of Deception declared war on each other, and mounted attacks over the internet on each other’s computers.

buy time on botnets which are compromised computers

The cyber kill chain

Understanding Computer Forensics
Preparing for a Computer Forensics Investigation
Preserving Data
Acquiring data
Analyzing Data

Understanding Computer Forensics

Goals of computer forensics

To understand computer forensics you must know what it tries to accomplish. The ultimate goal of computer forensics is to produce evidence for legal cases, to achieve this ultimate goal there are some objectives you need to work on. The first objective is to prepare for an investigation. For example, write protecting your evidence drive is one of the ways to prepare for your investigation. The second objective is to acquire data. Acquiring data here means, simply making a copy of your evidence drive.

So that when you’re doing your investigation, you only work on the copy of the evidence drive, rather than the evidence drive, itself. Once you have your data acquired, the next step is to analyze the data. Conducting a search based on a keyword, could be a good example of analyzing the data. Finally, the last step is to identify evidence and present it in the form of a written report. A lot of times these reports are auto generated by your computer forensics tool but you still have to edit this auto generated report, as a computer forensics investigator.

When these objectives of computer forensics are accomplished, it is safe to say that a computer forensics investigator is now ready to submit evidence.

Types of computer forensics investigations

There are primarily two different types of computer forensic investigations, one is public and the other is private. Public investigations occur in the context of criminal cases, usually conducted by the law enforcement officers and driven by the statues in the criminal law. Some examples of public investigations involved drug dealers sexual exploitation and theft, private investigations occur in the context in the context of civil cases in fact organizations they try to avoid any form of litigations due to the enormous cost associated with them.

Therefore many of the private investigations turn out to be simply internal cases. Private investigations are typically conducted by corporations or any other types of organizations out there, they’re driven by the statues of the civil law or organizational policies. One of the most important things to consider in private investigations is business continuity. If your investigation is hurting your business continuity, the investigation is not probably worth it.

Therefore, your priority has to be, really stopping the violations, rather than litigating anybody. So, if the examples of private investigations involve sabotage, embezzlement and industrial espionage. The boundary between public and private investigation is not always very clear. For example when your investigating an employee for potential violation of company polices and somehow come across a sexually explicit material. The case quickly turns into a public case because of this reason, as a computer forensics investigator, you should be able to handle both public and private cases.

Legal implications

There are some important legal consequences you should be aware of as a Computer Forensics Investigator. Depending on how you conduct your computer forensics investigation, the entire evidence you collect could be thrown out of court. Even worse is that you, yourself, could get into some sort of a legal trouble, if you’re not very careful. In the context of a public investigation, one of the first things you have to consider is the Fourth Amendment. As you know, the Fourth Amendment protects you from unauthorized search and seizure.

Therefore, as a computer forensics investigator, it is important that you obtain a warrant, by putting together a document call an affidavit to justify your warrant. In the context of a private investigation, the Fourth Amendment is no longer an issue, because a lot of times your investigation is driven by internal policies rather than the statutes of the law. For your evidence to be accepted by the court, ensuring the reproducibility and verifiability of your evidence is critical.

You can accomplish this by following systematic procedures in your computer forensics investigations when you’re collecting and analyzing your data. For example, the use of chain of custody forms and evidence containers are critical, especially when you’re trying to make sure there is little chance of tampering. One way of ensuring verifiability is by the use of a hash utility. Let’s say that you have data on an original storage device or evidence drive and it somehow produces a hash value A.

And you’ll make a copy and if it produces hash value B, and if A and B matches, the validity of the copy is verified. In this course, we have a dedicated lesson where we look into hashing more in detail. You can use hashing to ensure reproducability too. If you can generate the same hash value over and over again, as long as the file is the same and the tool you are using is the same, reproducability is proven. How you conduct your computer forensics investigation may have a significant legal impact, to avoid unintended consequences, following the best practices in your computer forensics investigation is essential.

Preparing for a Computer Forensics Investigation

Computer forensics hardware

There’s some hardware tools you need as a computer forensics investigator to function effectively. One of the goals of Computer Forensics Hardware is efficiency, mainly in terms of speed. As a computer forensics investigator, much of your time is spent on maintain things such as waiting for your imaging process is over and looking for information. Depending on how fast your computer is, a lot of these tests could be done very quickly.

Therefore the speed in your computer forensics investigation is very critical. Another goal of your computer forensics hardware is the capacity. Typically your computer forensics hardware requires more memory and storage and also extra bays or slots. Due to the nature of your investigation, another goal of compute forensics hardware is compatibility. If your investigations you will be be coming across many different times of operating systems or software applications.

In addition to the software, there are also a lot of different kinds of harder pieces you’ll have to be dealing with as a computer forensics investigator. The next goal is mobility or portability. When you show up at a crime scene, there are some initial tasks you have to accomplish as a computer forensics investigator which is why some of the computer forensics hardware you need initially has to be more portable. Depending on where you are conducting your computer forensics investigation, you could have full-blown computer forensics workstation especially when the investigation is conducted in a lab environment.

However, you’re at a crime scene, you need a scaled down version of this type of hardware, especially in the form of a field-kit. One of the major elements of this type of field key is a laptop configured as a computer forensics work station. There are also some miscellaneous computer forensics hardware such as flashlights, anti-static evidence bags cameras chain of custody forms and cable and screw drivers. Anti-static evidence bags are especially important when you’re dealing with sensitive electronic parts of your evidence.

If they are not properly protected, these electric parts could be short-circuited and won’t be able to be used as your evidence. To protect these parts, you need an anti-static evidence bag. There are also many more specialized computer forensics related equipment, but the hardware we have discussed so far is a minimum set of equipment you’d need as a computer forensics investigaton

Computer forensics software

A huge part of becoming an effective computer forensics investigator, is to be familiar with all the major computer forensic software. There are commercial computer forensic software out there, such as EnCase, Forensics Toolkit, and ProDiscover. There are also Open Source and free computer forensic software. Such as Autopsy, Digital Forensics Framework, etc. We can also categorize the computer forensic software tools based on the comprehensiveness of the features they provide.

When a software tool provides all the features or most of the features necessary for you to conduct a computer forensics investigation, we call them a computer forensics software suite. Software tools such as EnCase, Forensics Toolkit, ProDiscover, Autopsy, and Digital Forensics Framework. There are also computer forensics utilities that focus only on a single aspect of computer forensics investigations. For example FTK Imager only focuses on obtaining an image of an evidence drive.

Tools such as DCFLDD or DD also provide similar features. Hex Workshop is a hex editor that allows you to examine your file at the binary level. And by the time you are done with this course, you’ll have a list of basic understanding of how these tools are used in a computer forensics context.

Computer forensics certifications

Obtaining a certification is a good way to increase your credibility as a computer forensics investigator. There are many two different types of certifications out there. One is those provided by tool vendors such as guidance software or Access Data. The other is provided by professional associations such as EC-Council, or International Association of Computer Investigative Specialists, IACIS.

Another way of categorizing computer forensics certifications is based on accessibility, whether certification is open to the public or not. So, we’ll look into each certification in more detail, one by one. Let’s look at EnCase first, it requires 64 hours authorized computer forensics training or 12 months of computer forensics experience. And the certification provided by the guidance software is called EnCase Certified Examiner or EnCE.

Next is the certification provided by AccessData. The requirements for this certification include familiarity with tools such as, Forensics Toolkit, Password Recovery Toolkit, FTK Imager, and Registry Viewer. As you can see a lot of times these vendor provided certifications are tied to the products the vendors are selling. The certification provided by access data is called Access Data Certified Examiner or ACE.

Next is the certification provided by EC-Council, this one is vendor-neutral and open to the public. The name of the certification is Certified Hacking Forensics Investigator, or Certified Hacking Forensic Investigator or CHFI. Finally, there is a certification provided by an organization called IACIS. In this case, the certification is not open to the public but only available to the law enforcement officers, or government employees. The name of the certification is Certified Forensic Computer Examiner, or CFCE.

If you decide to become a career computer forensic investigator it’s not a bad idea to obtain one of these computer forensic certifications.

Understanding partitioning

On Linux, a storage device is represented as a file. For example, a physical SATA or a serial ATA hard drive shows up as /dev/sda in the file system the second physical SATA hard drive will show up as /dev/sdb in the file system. A USB drive I just plugged in to this machine is now going to show up as dev/sdd in the file system.

The numbers after drive letters such as sda or sdb represent partitions or logical drives. I’ll use fdisk to demonstrate this concept, type sudo fdisk -l, you’ll need sudo command before fdisk because you need to execute this command as a privileged user, press enter. If the operating system asks for entering your password, go ahead and type it in.

I already typed in my password, which is why it shows up without typing the password. As you can see, /dev/sda1 is the first partition of the first physical drive on my machine, dev/sda2 is the second partition on my physical hard drive SDA, and so on. When I see something like deb/sda5, what that means is that it’s a logical partition inside an extended partition.

So the logical partition inside the extended partition starts with the number five. Now, I also see dev/sdb1 here, which means, I have another physical drive which has only one partition. Finally, I have the third storage device, dev/sdd1, which is my USB drive, which has only one partition. Now you know where to look for storage device information on your Linux operating system and how to interpret their representations.

Understanding hexadecimal numbers

The knowledge of hexadecimal numbers is another important tool in the toolbox of a computer forensics investigator. One of the motivations of using hexidecimal numbers in computer forensics investigations is that sometimes it is necessary to investigate data at the binary level or raw data level. Everything on a computing device is represented in terms of binary numbers. Binary numbers use only two symbols, either zero or one, and that’s a language your computer speaks.

Criminals hide or manipulate their data at the binary number level or raw data level. Therefore, as a computer forensics investigator, you should also be able to examine the data, in their native format, that is consisting of 0s and 1s. Now, the problem associated with this is that, there are simply too many numbers to deal with. Therefore, if there is a more compact way of representing binary numbers, that will help out computer forensics investigator a lot when examining the data at the binary level.

Decimal numbers are for human consumption, and it uses base ten, meaning it uses ten symbols. Binary numbers are meant for the use by computers. It uses base two, meaning, it only uses two symbols, zero and one. Since the data on your computer is stored in binary numbers, there has to be a way to represent data in binary numbers. They way you represent your data in zeros and ones is called encoding.

For example, A is represented by eight binary digits, 01000001. As you can see, displaying the raw binary data takes up a lot of space, and therefore it’s more difficult to deal with when trying to detect a pattern, especially as a computer forensics investigator. One important thing to understand here is that hexadecimal representation of data is more compact. For example, letter A which was represented by 8 binary digits: 0100 0001 could be represented by a hexadecimal number which is 41 Therefore, when binary numbers are translated into hexadecimal numbers, and used for investigations, it is much easier to deal with and better for detecting a pattern.

Think about the difference between 01000001 vs 41 Which one do you think is easier to deal with? Each binary digit is referred to as a bit. One byte consists of eight bits and usually, one byte is all it takes to represent a letter in an alphabet, and typically, one byte is all it takes to represent a character. For example, A is represented by zero, one, zero, zero, zero, zero, zero, one and hex number is four one.

Again, eight binary digits or bits were used to represent the letter A which is one byte. It can in turn be represented using two hexadecimal digits. So now, in a hex number representation, you only need two digits to represent one byte. The hexadecimal number system uses base 16, which means it uses 16 different symbols, 0-9, and then to represent the magnitudes such as ten 11, 12, 13, 14, and 15.

They use letters such as A, B, C, D, E, F. Each Hex digit is capable of representing four binary digits as you can see below. For example, 1111, which is the biggest number you can represent. And four binary digits can be represented as F in the Hex number representation. The knowledge of hexidecimal number system will help you in your future computer forensics investigations because you’ll have to deal with hexidecimal numbers in your hex editors all the time and many computer forensics tools represent their data in hexidecimal numbers

Using a hex editor

Your computer stores everything in terms of binary numbers, or zeros and ones. Criminals manipulate these binary numbers to hide their data and you need hex editors to find this hidden data. Hex editors are useful when examining data at the binary level there are various hex editors out there. Some of the hex editors are opened source, some others are commercial hex editors.

Hex Workshop is one of the commercial hex editors out there and compared to open source Hex Editors. Hex editor like Hex Workshop is more advanced than feature-rich, there are some essential Hex Editor features you need as a computer forensics investigator. These essential features include abilities to open big files or local drives. A lot of times what happens is, you have to open an entire drive in a hex editor and for some reason if your hex editor crashes because it cannot handle the size of the file or the drive then it is definitely problematic.

You also need abilities to make and write changes to reveal secrets in hex editors. Another important feature is this ability to search, especially by sectors. Sometimes also you need a feature to shift bits again to rebuild hidden information, almost all of the hex editors that come with this ability to obtain a hash value. And compared to the computer forensics suite, which has various computer forensics features obtaining a hash value using a hex editor is much simpler and faster.

One of the things you confront while you are investigating your data, using a hex editor is this difference between physical and logical drives. Physical drives refer to hard drives, US drives, etcetera the actual tangible physical drives connected to your computer. Logical drives simply refer to the partitions. Another thing to remember when you are using your hex editor is how the data is represented in your hex editor.

Based on our discussion in another video, you know that one byte is equivalent to eight bits and we also talked about how these eight bits, in binaries numbers could be represented to hex digits. So for example, the letter K was represented by two hex digits, 4 and B. So whatever you see in a hex editor, the digits are all in hex numbers.

Mainly for the purpose of somehow making it easier for you to deal with the size of the data. The location of a particular piece of information in a file or a drive is also represented by hex numbers in your hex editor and typically this is done by showing how many letters away a particular piece of data is from the beginning of a file or a sector. Congratulations, now you’re ready to do some basic investigations using a Hex Editor.

Understanding an offset

In the computer forensics literature or talks, you often hear, or read this mention of the word offset and therefore, the understanding of this concept of offset is critical in analyzing or interpreting your data. Offset is significant, especially in the context of locating a piece of information in your data. As I said, offset is a way to refer to a location, either in a file or a drive.

So from a particular reference point, either the beginning of a file or the beginning of a sector or the beginning of an entire drive, by how many bytes a particular location is away, that’s the whole idea behind an offset. So, by how many bytes, usually we use hex numbers to represent the amount, how many bytes? So, for example, if the offset is one-zero in hex, that means the current location of a piece of data is 16 bytes away from a reference point.

So, in this case, a reference point could be the beginning of file. So that is 16 bytes away from the beginning of the file. We use a particular offset notation to make it clear that it is a hexadecimal number. So, for example,. We use the prefix zero and lowercase x to denote that the offset amount is in a hex number. For example, 0x10 means the opposite amount is 10 in hex.

So, the base 16 is showing there, as a subscript and that is equivalent to number 16 in the decimal number system. Now with this information, you can locate any piece of information in a file or a drive. Now you can go ahead and try this yourself, using a tool like Hex Workshop. Now you’ve mastered the concept of offset, so it’s time for you to go out and try it yourself.

Preserving Data

Understanding the role of write blockers in preserving data integrity

In computer forensics, preserving the data integrity or preserving the data itself is one of the top priorities. In this video, we’ll be exploring the role of write blockers in preserving the data integrity in computer forensics situations. Computer forensics rule number one is to not damage your evidence. In this case, the evidence refers to your evidence drive. The risk you’re always running into is, your operating system writing to the evidence drive.

One of the countermeasures to keep this from happening is using a write blocker. There are primarily two different types of write blockers. The first type is hardware write blockers. Usually these devices sit between an evidence drive and a forensics workstation. The second type is a software write blocker, and sometimes this software write blocker is built into a computer forensic suite, like EnCase or ProDiscover.

You could also accomplish the same write blocking effect by changing the configuration of your operating system. This is what a hardware write blocker looks like. When you’re write blocking, there’s some other factors to consider, too. We said that our integrity is the top priority accomplished by using the write blocker. I’d like to emphasize this fact again because it decides the viability of your evidence. In addition to using a write blocker, physical security or chain of custody is also important.

This way, you know who had access to the evidence drive, when and why. And all the information is for example, recorded, in a chain of custody form. So if you know, nothing happened, while you are making an image of an evidence drive using the write blocker, if something happened to your evidence drive, now you know that it happened through unauthorized access, physically. In this course you’ll have plenty of opportunities to use various types of write blockers and you’ll master how to use write blockers.

Using a hardware write blocker

Hardware Write Blockers come in many different forms. In this video, we’ll be looking at some of the most widely used forms of Hardware Write Blockers. The most basic equipment, when it comes to hardware write blocking, is to simply connect an evidence drive through a USB interface. So in this case, you rely on software for write-blocking. In this case, all the hardware write-blocker does, is simply providing an interface between your evidence drive and your computer forensics workstation.

So when you use this type of hardware write blocker, to connect your evidence drive to a computer forensics workstation, through a USB adapter, the solution is relatively cheap, but it’s not worry free in many cases. Here is a picture of a hardware write blocker solution I’ve been talking about so far. You can see a more detailed picture here. When you have all the pieces of this type of hardware write blocker solution put together, it looks like this.

You can see there is a USB cable connected to the hardware write blocker and there is also a SATA cable connected to your evidence drive. Since this type of hardware write blocker could be used for many different types of hard drives, which has its own various interfaces, the hardware write blocker has to come equipped with many different types of interfaces too. So for example, you can see SATA connector data, or Serial ATA connector.

You can also see different types of IDE connectors, depending on what type of hard drive the hardware write blocker is getting connected. And finally, you can see a USB connector that is connected to a computer forensics workstation. A slightly more advanced hardware write blocking solution is a hard drive docking station solution. So the goals in this case are the same as the storage devices to USB adapters we just explained.

One of the features to this type of hardware write blockers is the fact that it has cleaner form factor. Therefore, there are less cables to mess with. Here is a picture of the docking station solution, but for computer forensics professionals, you’ll also need more professional solutions, or more professional equipment. The main goal here is to avoid accidents, and also to comply with legal standards. So let’s say you’re conducting your investigation and in the middle of it somehow something goes wrong with your hardware write blocker and that is the last thing you want, and in some cases, you are required to use this type of more professional equipment.

So that your evidence could be accepted by the court. Of course, this type of professional grade write blockers are more expensive, but they provide worry free operations. One of the examples of this type of professional grade hardware write blockers, is the product made by a company called Tableau. The company is a manufacturer of many other types of computer forensics equipment too. Some of the main features of this type of hardware write blocker, include things like more interface options.

So for example, in this particular solution, it provides FireWire interface, USB interface, eSATA interface, and so on. This type of device also comes with more convenient features like switches. You can turn on or turn off your hardware right blocker. Depending on what you’re doing with your hardware write blocker, you can change the configurations very easily when you’re using this type of hardware write blocker. For example, you can set it up only for reading. You can also set it up for both reading and writing.

It also comes with various indicators which are very helpful when you’re doing your investigation. Here is a picture of a tableau hardware write blocker, and as you can see, it comes with many different types of interfaces, and also, many different indicators. One of the indicators that is standing out is this write block indicator. Which is probably the most critical indicator, and this tells you the right blocking is in action. There are also other solutions in terms of hardware write blocking.

Solve these solutions they come in smaller form factor. In many case, these solutions they have less options. However still provide worry free operations such as the ones provided the tab low solution. The most advanced hardware write-blocking solution could be hard drive duplicators. They’re fast, and they’re mostly Plug-and-Play, so, in this case, all you have to do is simply plug in your hard drives in, and then the rest will be taken care of by the duplicators.

Therefore, it provides an entirely worry-free solution. Here is a picture of a hard drive duplicator. Now, the bottom line is that when you’re trying to purchase a hardware write blocker, the purchasing decision has to be based on the purpose and the nature of your investigation. You don’t always need the most expensive equipment out there. Therefore the budget is a factor, definitely. Here the key is that you’re making informed decisions based on the knowledge acquired from this video

Understanding hashing and its role in ensuring data integrity

Hashing plays an important role in computer forensics. It ensures that a copy of data you’re making is remaining identical to its source. Hashing refers to the process of transforming an input usually a file into an output which is a unique string associated with the file. There are some important characteristics about hashing. Any slight changes you’re making in a file will get amplified in huge changes in its hash value.

This makes it very easy to detect changes made to a file either by accident or on purpose. Hashing ensures data integrity and data integrity means no unintended changes are made in the data. In the context of computer forensics this means evidence drive remains the same during your investigation. That is a forensic image or copy of the evidence drive remains the same throughout your investigation. Therefore hashing is an essential part of your compter forensics investigation.

Any non-trivial computer forensics tools should come equipped with an ability to produce hash values. Now we’ll do a quick demo of hashing on a Linux operating system. For this demo I’m using a remote machine. First, let’s create a text file called test.txt by typing nano Test.txt. Note that there is a space between nano and the file name, test.txt. Nano is one of the text editors you can use on a Linux operating system.

Now press enter. And type a sentence like this. This is a test. Now to save this file, simply press ctrl key and X key together. And then type y to save the file. Since we’re going to be accepting the filename as test.txt all we have to do is press enter here. Now, the next step is to use one of the built in hash algorithms of your Linux operating system. One of those built in Linux hash utility is called md5sum.

So type md5sum, and then the name of the file, which is test.txt, and you see the hash value of the file test.txt right here. Now let’s make some changes in the original file, test.txt. To edit the file again, type nano Test.txt. This time, we’ll actually add one word, so we’ll make the sentence as, This is not a test. And now, save the file by pressing Control and X key together, and type Yes.

And then accept the file name that it is and press enter. We’ll run the hash algorithm again md five sum and test.txt. You can see the two hash values generated are radically different because you made a change in the file testfile.txt. What if you changed the name of the file it’s self, but with out really changing the content. Do you think the has value will change too. Now you can go ahead and try this and see what happens.

Hashing is used in many places in computer forensics. And now you do the concept of hashing and now you know a list want to, you can use to do your hashing. Now you are one step closer to becoming a competent computer forensics investigator

Hashing algorithms

Hash algorithms implement hash functions in many different ways. Some of the well known hash algorithms include MD5, this is still widely used in computer forensics. However, it’s proven to be vulnerable. There’s another algorithm called, secure hash algorithm, or a SHA, this is a more secure version of MD5. There are SHA-1, SHA-2 and SHA-3, which are just different variations of SHA. There are some known vulnerabilities in hash algorithms.

This vulnerability is called a collision and there’s a very remote possibility of a collision whenever you’re using a hash algorithm. Collision occurs when two different files produce the same hash value, although, they use the same hash algorithm. As you can see in this diagram, file one and file two, these are two different files but when they go through the same hash algorithm, sometimes it is possible that you could end up with the same hash value. This almost never happens but theoretically speaking, this could happen.

Collisions have been found in both MD5 and SHA. To make hash algorithm more secure, the hash value generated by your hash algorithm is important. So to make hash algorithm less vulnerable, the bigger the hash value, the less the possibility of a collision. Therefore, a bigger hash value means a stronger and more secure hashing. Now you know all the well known hash algorithms in computer forensics. So it’s time for you to use the tools that implement these various hash algorithms and get more familiar with them.

Data Integrity Rule No.1

need HEx editor to mine patterns

offset explains how far

write blocking
on win8 regedit _LOCAL_MACHINE … SYSTEM .. Current ControlSet .. Control .. New > key
StorageDevicePolicies New DWORD 32 bit WriteProtect Modify change 1
reboot required
get a hardware write-blocker for different interfaces
to avoid accidents and comply w/ legal standards so your reconnaissance can be accepted by courts mfg. Tableau

budget a toolkit

transforming a file
md5sum filename results in a hash

Hash Algorithms
newer better Secure Hash algorithm SHA-1,
collisions, longer hash strengthens hashing and lessens theory of collision possibility

chain of custody form

mounting and un-mounting partitions
a directory where a partition is made visible to the operating system

forensic ubuntu system does not touch a drive when mounting
forensic control for mounting partitions :
umount < name of partition >
sudo fdisk -l
shows storage devices w/ featured partitions
so create a mount point mkdir mount_point
ls out to confirm
mount -t (format) vfat (which) /dev/sdc1 (destination) ./mount_point/

Acquiring data

FTK Imager

Let’s start FTK Imager. Choose run as administrator, click on it. Your FTK Imager is now started. Before you move forward, let’s make sure that you have a USB drive plugged in to your computer. Choose File and then choose Create Disk Image. We’ll go for the default choice, physical drive, and simply click on next. From the list, choose your USB drive. In my case, the USB drive is labeled as Kingston.

So I’m going to be choosing that. Click on finish. Now it’s asking for image destinations. Click on add, and we need to select the destination image type. In this case, we’ll be using the RAW image type, which is DD. Click on Next, and we’ll simply type in the case number as 001. Evidence number 001. Unique description as test. Examiner 001. Notes, test.

Click on next. Now we’ll choose the image destination folder. Click on browse, we’ll choose the destination folder as the desktop, and then click on okay. The image file name I’ll be using, USB drive. You have an option of, breaking your image file into multiple files. It’s called, fragmentation. In this case, I don’t want to do this. So that’s why I type, zero here. Click on Finish, now note that, there’s an option of verifying images, after they’re created.

By selecting this option, at the end of the imaging process, you will have the hash values of the image file. So make sure you choose that option, and click on Start. As you can see, once the imaging is done, the FTK Imager Tool will display the MD-5 hash value of the image, and also the SHA-1 hash value of the image. So, this demonstrates the built-in hash functions of the tool. Note that the FTK imager tool computed the hash value before imaging begins, and then it gets the hash value again after the imaging is done, and it shows both of the hash values match.

When we close the window, we can see that the hashing is now over, so we’ll close this window too though this concludes the imaging operation

Static Acquisition

Static acquisition with an open-source tool

There are commercial tools you can use to get an image of a USB drive or any other types of drives but there also plenty of open source utilities out there you can use to get an image. In this case, we’ll try to use an open source tool called dd to get an image of a USB drive. Before we do anything let’s try to see the name of the USB drive attached to this machine. We can do that by typing f disk and then the option is l.

And we need sudo in front of it because f disk requires a diminished rate of privilege to run. Press Enter and now you see the USB drive showing up as DVSDD1. In this case our goal is to get an image of an entire physical drive rather than a partition on the physical drive. Therefore, we’ll be using dvsdd instead of dvsdd1 to refer to our USB drive.

The command is very simple, just type dd, IF stands for input file. So in this case dev, sdd, instead of sdd 1, which is a partition, now we are referring to an entire physical drive, and then simply type o f or output file, and then the target file name of the image. So in this case, we will say USB image and then .dd as an extension.

So in this case all you have to do now is just pressing enter. Again it complains about the permission because of the same reason why we used sudo before f disk. So we have to use sudo and then dd. Now, recall the command by pressing the up arrow key, and simply type sodu before the dd command. And then we’ll press enter again. The imaging process has now begun and until it’s done you’ll just see this cursor blinking.

One way of checking whether the file has been actually created, is to open another terminal window, to see the name of the file showing up in your directory. So we’ll just do that. And then simply type ls, and as you can see, the file has been created. But, the file will be getting bigger and bigger as the imaging is being done. So, I’ll just type LS to list the details of the file. I’ll use an Option+L to list more details of the files.

And as you can see, the file size is showing up there. And we’ll try it again. And the file size gets bigger. As I was speaking, the imaging process has been over. So go back to the previous window. And as you can see, the imaging is now over. Dd is one of those most basic tools out there you can use to get your simple imaging task done. But there are more advanced tools for the imaging you can use to make your job as a computer forensics investigator easier.

Some of these tools include things such as DCFLDD a forensic version of DD. And there is also a professional grade imager called FDK Imager which is Windows based and we’ll do a demo on that one in another lesson too.

Creating split-disk image files with DD

There is also a way to split your image file into multiple files. This is sometimes necessary because you have to put it on a media like CD, which has only very limited capacities. To do that, we use the same command, DD. And then, input file source which is the physical USB drive. So, that was dev sdd. Now, instead of saying OF or output file here, we will be using something called a filter.

And, the role of a filter in Unix, or Linux, is that, it will be taking the output of the previous command, and then, pass that output, as an input, to the next command. So, whatever is coming out of the d d input file command, the output of that will go to the next command. So, in this case it will be the image file. But, we’ll be splitting it into multiple files. So, the command is split. The block size has to be 650 megabyte, that’s the size we want.

So, that’s why we type 650 M. And then, we need the hyphen, we need a space after that, and then type the name of the image file which is USB image. And then, dot for the extension so when the files are created there will be beginning with this name, USB image, dot and then the extension will be different in a sequential order to reflect the fact that a single image file is not split into multiple files.

Again, you need Sudo to run this command. So, simply press Enter, then using process has begun. While it’s getting done, we can go ahead, and open up another terminal window to see the progress. And, simply type L-S, and you can see that. There have been already two files created, usb image dot aa, usb image dot dd. But, usb image dot dd is the file we created by just using a simple dd command.

Let’s ls again, now usb image.aa is still there, now there is a new file called usb image.ab. So, there will be more files coming after these two, which will be usb and so on. So, the single, image file, which was usb image.dd, the one we created earlier, is now broken down in to multiple fragments with different extensions.

Type ls again, now you see ac there, usb Now, the imaging process is completely over, and if you type ls here, you can see the usb image dot dd file now broken into three individual fragments, aa, ab, and ac. By learning these types of different options when you’re doing imaging, when you’re conducting your computer forensics investigation, you can be a little more flexible in dealing with different situations

Static acquisition with dcfldd (forensic DD)

DCFLDD is a forensic version of DD. It is also an open source computer forensics tool. This lesson will teach you how to use DCFLDD to statically acquire an image from a USB drive. Let’s first check how your USB drive is represented on your operating system. Type sudo fdisk-l press Enter. I already use the sudo command all year, which is why it’s not asking for a password.

So, you may have to type in your password before this step. Next, type sudo, dcfldd, and then input file, which is devsdd. Dvsdd is how your USB drive is represented on this computer. Depending on your setting, your USB drive may be showing up differently. Now type OF of a file and then we’ll name the image as USB image.dd.

We’ll use a couple more options here which is not available to dd. We’ll use hash and say md5 and we’ll also say hash log and then the name of the log file, USB image.log. What this will do is, by the end of the imaging process, it will be producing an MD5 hash value of your image. And then store it in the USB image that log file.

That’s presenter and another nice feature of DCFLD is that it shows the status of your imaging process. And it shows how many bytes have been written. The imaging process is finally over and let’s check the USBimage.log file. To see the content of a file, we’ll be using a command called more. Type more, USB Image.log, press enter. And as you can see, the md5 hash value of your image is now showing. Let’s also check whether the image file has been created. Type LS and, as you can see USB image.dd is there. One thing you may note here is DCFLDD has more computer forensics features, plus it’s easier to use. Therefore it will be the best to use DCFLDD for forensics purposes

Static acquisition with a commercial tool

In addition to the open source imaging utilities there are also some commercial imaging tools. Although some of these tools are commercial they are freely available. One of the such tools is this tool called FTK imager. Here, I’ll demonstrate how to use FTK Imager to create an image. First, let’s start FTK Imager by right-clicking on the icon and Run FTK Imager as Administrator and then go under File.

Choose Create This Image, and then choose Physical Drive. So, as you already know, Logical Drives refer to partitions, Physical Drives are the physical drives attached to your machine like the USB drive. So, we’ll be choosing Physical Drive for our option, click on Next. I already have a USB drive plugged into my machine. So I’m going to be choosing the USB drive, and then all you have to do is simply clicking on finish.

Now you have to say where the file, the image file is going to be saved, click on Add. You have to decide, in this case we’ll be choosing the raw file format which is DD. This gives you an exact copy of your physical drive, also called a bit by by copy. There are some other file formats available such as SMART, EO1, AFF, all these other file formats are used for proprietary tools so called computer forensics suite, click on Next.

Type case number and evidence number. We’ll say steady acquisition for unique description examiner and then, test. Click on Next. Now here we have a chance to decide on the image destination folder and we’ll choose, our desktop for our destination. For image filename, simply type USB image. You have an option for fragmenting the image file into multiple files.

In this case, we’ll be choosing zero to not do the fragmenting. Click on Finish. You have an option to show, once the imaging is done, the hash values of the image file, so we’ll choose that option. Click on Start. The imaging process has begun. Note that the image file has been created on your desktop. Now imaging is done, and since you chose the verification option earlier, that’s why it shows the hash values of the image file and the source drive and it shows both MD5 hash and SHA1 hash are matching.

So the imaging has been successful. Click on Close and then click on Close, the imaging is done and as you can see, there is our image file created now. One of the reasons why this FTK Imager, the commercial version, is fairly available is that it can only create an image like this. To be able to analyze this image file, you actually have to have another computer forensic suite to conduct the analysis. So creating an image is just the beginning of the investigation and it requires more sophisticated tools to get deeper into your investigation.

Live acquisitionLive acquisitions are becoming more common and necessary in computer forensics investigations these days because of the changes in the computing technologies and also, due to encryption. Live acquisitions acquire data from a volatile source, for example, main memory or random access memory, or RAM. In a volatile source of data, data goes away from the storage part of a device after the device is turned off.

Memory dump analysis with VolatilityVolatility is an open source live acquisition tool. In this lesson, we’ll learn how to use volatility to conduct a live acquisition. Volatility is a command prompt tool. So we’ll have to open our command prompt on Windows. Press Windows key, and then R, together, and then simply type CMD. Click on okay, now you’re ready to type in your command. As you can see, my volatility program is copied on my desktop which is why I have to change my directory to the desktop. Type cd desktop. Once you’re in your desktop directory, type the name of the program which is volatility, and type the rest of the name of the program. Before we move forward, we need to copy our memory dump file to the desktop too.

Open your windows explorer by pressing the window key and then E key together. Go to Desktop, select Exercise files, choose chapter 4, and then you see windows.raw file. Right click on it, select copy, and then paste it on your desktop. We’re going to close this window. Now you’re ready to try the memory dump file. Next, in your command prompt window.

Use option -f, and then the name of the memory dump file. In this case, windows.raw. The first thing we’re trying to do is to learn more about the memory dump and the operating system from which memory dump was made. For that, we use the keyword image info, and then press enter. So this will take a little bit of time. Now you have your result back. One of the key thing, you have to look for, is suggested profile. As you can see, in the list, the suggested profile is Win7SPOx 64.

That information is very important for our next step. In the next step, we are going to try to display all the processes that were running when the memory was dumped. So again, the same command. However, this time, instead of using image info, we’ll be using a different keyword. We need a new option dash dash profile, and use the profile information we retrieved in our previous step which was win. Seven-S, P-zero, X-six-four, and then, a new keyword, which is P-S-list, so Process List, and then we’ll press Enter.

Now, as you can see,. This lists all the processes that we were running when the memory was captured. To give you another example, regarding what you can do with your memory dump especially with volatility, I’ll try to display your internet history. To do that the command is pretty similar, except for the PS list part. Now we need a new keyword, which is IE history. As you might have guessed, IE in IE history is Internet Explorer. Press enter. So this is going to take longer than the previous two steps. So let’s pick back up. When this is over. Now, finally, you’re starting to see some results.

As you can see, you see all the websites you have visited on the computer. A tool like Volatility provides computer forensic investigators with a lot of very useful information. Therefore one of the first things you may want to do when you arrive at a crime scene is to conduct a live acquisition. So whenever you come across a situation in which you try to capture information in the memory. Live acquisition is probably your best bet. Now, at least you know one way to conduct your live acquisition

Remote acquisition with a commercial tool

A remote acquisition typically requires a pair of softer programs. One acting as a server and the other acting as a client. The server side of the program resides on the suspect machine from which the data is supposed to be recovered. And the client side of the program is where the data recovered from the suspect machine is going to be stored. We’ll start with the suspect machine. The server program in this case is called HDHOST. I’m going to be starting the program by right-clicking the icon.

Select run as the administrator this is critical because this program is not going to be working if you are not running it as an administrator. Click on, run as administrator, click on yes now make sure you choose TCPIP. And then, make a good note of this IP address Because on the client side, you’ll need this IP address to get connected to the server side here.

On the suspect side or the server side, now all you have to do is to click on wait for connection. Now the suspect machine is ready, now let’s switch to the client’s side. On the client’s side, we run the software called disc explorer. Select the icon, right click. Also run as administrator, click on yes. Go to file, click on drive. And then click on, remote. Again, choose, LAN and the IP address you see here:, that’s the IP address of the client machine.

Now we need an IP address for the server machine. And we took a good not of it. Let’s double-check the IP by going back to the server machine it is Let’s go back. Now let’s write down the IP here: Now all you have to do is, click on connect. If the connection is established successfully, you’ll see this window.

And you can see the remote drive who’s capacity is 60 gigabyte. Just click okay and as you can see the remote drive shows up. It has two partitions, the first partition has 100 megabyte. The second partition has 59.9 gigabyte. Just click okay, now you are ready to do the imaging from the remote drive. To initiate the remote acquisition, go to tools, select create image file. And then decide on the name of your image file.

In this case, we’ll name it as remote drive. Now the only thing that’s left is clicking on start. And as you can see the imaging has begun. The power of remote acquisition is that you don’t really have to be there in person to acquire the image. As long as you have a stable network connection, any remote route can be imaged. Of course, the faster network connection you have, the better.

Analyzing Data


Indexing is another very important feature in a computer forensics software suite, especially in terms of searching. Indexing refers to the process of creating a catalog by going through an evidence drive and recording the location of each data item. To give you an analogy, creating an index for a book is similar to creating an index for an evidence drive. Once you create an index in your book, you can get to a page of your interest very quickly based on a keyword.

The same applies to your evidence drive. Once you have an index created, getting to the data item is much, much faster because you know where the data item is already located based on the keyword. Especially in the context of searching. Once you have your indexing done, the speed of searching gets really, really fast because there is now a direct mapping between your search keyword and the location of the keyword in your evidence drive.

All you have to do is to go to that location based on the index, without really having to do the search over and over again every time you look for a keyword. Initially, indexing takes a long time, because it has to go through every single data item in your evidence drive and then somehow record the location of each data item based on their keywords. Therefore typically, when you try to acquire an image out of an evidence drive, you always have an option to do your indexing.

In some cases indexing is referred to as processing. So when you see the world processing, you should associate that word with indexing. Once indexing is done, your research process will be much more accelerated


Having the ability to search in a computer forensics investigation is essential. Investigators always have a need to do their search, based on a keyword related to the nature of the case he or she is working on. To demonstrate how a search is conducted, using a computer forensics suite, we’ll be using a tool called Autopsy here. Autopsy, is one of the most popular computer forensic software suites out there, and I highly recommend it.

Let’s start autopsy by clicking on the icon on the desktop. Do a right click, select Run As Administrator. We’ll start by clicking on Create New Case. Type your case name, we’ll use searching. Choose your base directory if it’s not already chosen. In my case, I used desktop. Click on Next, and use case number 001, examiner, and click on Finish.

Now the step involves loading an image. I already created an image of an evidence drive, so we’ll be using that image for this exercise. Before you click on Browse, make sure the option Image File is selected. Click on Browse, choose USB Image.001. In your Exercise folder chapter 4, click on Open, click on Next, click on Next again, as you can see now your image is successfully loaded.

Click on Finish, go ahead and select usbimage.001, and click on the plus sign next to it. Select volume two, and you can see the files inside that volume. One of the things you notice is a file with an X mark. What this means is, that the file is deleted. However, your computer forensics suite is able to detect the deleted file, and you can even recover it by right clicking, Extract Files.

Let’s try to export it to our desktop. Choose Desktop and then click on Save. File extracted. Now, go to the file. Let’s see if we can open it. Click on Preview, and you can see the picture file. Close the window. The next thing we’ll try to do, is to conduct a search, which is our main mission. In this case, we’ll try to find all the files that contain a name. In this case, Bill.

Let’s type Bill, B-I-L-L. Click on the magnifying glass, and out of all the files we have on the disk image, there is only one file that contains the name Bill. This is a very useful feature, not only for conducting your computer forensics investigation, but also for anything you do on a daily basis. You always have a need for looking for a file, based on a keyword. As you can see, searching is a very useful feature in a computer forensics program.

Any computer forensic software suite of course, should come with the type of feature. Therefore, how well, the search feature of a computer forensic suite works, could be a good way to measure the quality of such a computer forensic suite.

Generating a report

Having the ability to auto-generate a report in a computer forensic software suite is a very useful feature. Investigators usually auto-generate a report and use it as a starting point for their report. We’ll use Autopsy to demonstrate how you can auto-generate a report. First go to the Autopsy icon on your desktop, right click on it, and click on Run as Administrator.

Let’s create a new case. And we’ll name the case as reporting. And then click on Next. Case number 001. Type the name of the examiner. Click on Finish. Now it’s time to load an image. We’ll use an image in our Exercise Files folder in chapter five. Click on Browse, and you’ll see USBimage.001.

Choose it, click on Open, and then click on Next. Click on next again. Now, click on Finish. Generating a report in Autopsy is really easy. All you have to do is go to generate report, click on it. And then, choose the type of report. Select Results HTML, click on Next, leave the default choice, click on Finish. The report has been generated. If you click on the link here, it will open a web browser and show your report.

As you can see, the report is here. There is not much to see here, because you haven’t really marked any pieces of evidence in the process of investigation while you were using Autopsy. For any piece of information to show up in the report, you have to mark it actively while you’re doing your investigation. Let’s close the web browser. Click on Close. This time, let’s mark a piece of evidence so that it appears in the report. Go to USB image.

Click on the plus sign next to it. Now let us pick one evidence here, which is dream car. And this is just an image of a car. Do a right-click, and then choose Tag File, and then select Tag and Comment. So we’ll just leave a comment. Click on OK. Now the evidence is marked and it’s going to show up in your report. So let’s generate our report again. Go back to generate report. Click on it. Choose results HTML, click on Next.

Click on Finish. Let’s click on the link again. Now, next to the star icon, you see file tags, click on that. And as you can see the evidence you marked is now showing up with your comment. Any mainstream computer forensics software suite, should come with a feature to auto-generate a report like this. If you don’t see a feature like this in a computer forensics software suite, you should definitely doubt the quality of a computer forensics software suite

Understanding file systems Understanding how an operating system stores files is critical in computer forensics because criminals use this knowledge to hide information. One of the most widely used Windows file systems today is File Allocation Table or FAT. There’s a newer file system called New Technology File System, or NTFS, used by Windows operating systems. This is the latest kind of file system used by Windows operating systems.

The main difference between FAT and NTFS is the file structure database used to store file metadata and to keep track of the location of the file data. For example, FAT uses File Allocation Table as a file structure database, while NTFS uses Master File Table, or MFT, as a file structure database. Let’s go over the terminology a little bit here. Metadata is the data about data.

In the context of file systems, metadata refers to the data about files. For example, data such as file name, time stamp and other file attributes could be considered as metadata. And at the same time, file data is the actual data stored in a file. It’s also important to know the difference between sectors and clusters. Each sector contains 512 bytes of data.

Clusters are the smallest logical unit of file storage. They consist of one or more sectors. Therefore, definitely there is a relationship between sectors and clusters. Clusters consist of sectors. It is also important to know the difference between logical and physical file storage units. Logical file storage unit is what is recognized by an operating system. Clusters are the logical unit used by an operating system.

Physical storage unit is what is recognized by a storage device. Sectors are the physical unit in this case. Therefore, we know that your physical storage device deals with sectors while your operating system deals with logical storage units such as clusters. When your operating system stores a file, they are stored at the cluster level. Because the files are stored at the cluster level, this is what causes a wasted space problem.

For example, let’s say that you have a file whose size is 2,050 bytes. And also let’s assume that a cluster consists of two sectors. As you can see in this picture, your file whose size is 2,050 cannot fit in two clusters. It requires three clusters to be stored. Therefore, you use three clusters to store this file. But then, next time your operating system starts writing a new file, it starts after the third cluster.

Therefore, there is this unused space in cluster number three, as you can see in blue, and this unused, wasted space is called a slack. When it comes to efficiency, especially when you’re comparing FAT and NTFS, NTFS is more efficient because it uses a smaller cluster size compared to FAT, which means it reduces the amount of slack spaces or it reduces the amount of wasted spaces.

There are many more things to learn about systems for you to become an effective computer forensics investigator. This video is a good start, but to become truly knowledgeable about file systems, you need to do a lot more studies.

Understanding the boot sequence

Understanding the concept of boot sequence as a computer forensics investigator is critical, because there are many useful things you can do as a computer forensics investigator by manipulating the boot sequence. Some of the boot sequence related hardware include CMOS and BIOS. CMOS is a volatile memory chip containing time and date information and other configuration information. CMOS stands for: Complimentary Metal Oxide Semiconductor.

It’s a computer chip on a motherboard. BIOS stores a program that loads the hardware drivers. It also loads the operating system. Before your operating system is loaded into the memory. You have to make sure that your memory is operational which is done by loading the driver for the memory. BIOS stands for Basic Input Output System. The BIOS hardware is now being replaced by a new alternative which is called Unified Extensible Firmware Interface or UEFI.

One of the things your BIOS checks when your computer starts is the boot sequence. The boot sequence information is stored in your CMOS, and the boot sequence settings decides which drive to access to read the operating system. This is significant to computer forensics, especially because in computer forensics we are trying to avoid accessing the evidence drive at all costs, because as soon as your operating system has access to your evidence drive. It may write to it and corrupt your evidence.

Therefore the best practice is to boot into a drive containing a specialized operating system with pre-installed computer forensics programs. For example, we have a live CD containing forensic copies of operating systems by using those live live cd’s we can put into the cd drive containing the live cd and then the live cd will provide the operating system for your computer. Not touching anything in terms of your evidence drive.

This is just one example of how to manipulate your boot sequence and use it in your computer forensics investigation. There are also many other uses of changing the boot sequence of your evidence computer. By learning more about these other uses of changing the boot sequence of your evidence computer, you’ll definitely enhance your ability as a computer forensics investigator. Now, let’s look at a computer forensics software suite, live cd called Kali.

When you boot in to Kali, this is the initial screen you’ll get. Choose the first option, live. Press enter, now we have successfully booted in to Kali. What’s nice about Kali, is that it comes with many computer forensic software tools already installed. Let’s check out some of these tools. Click on applications, choose Kali Linux, and then select forensics, and then you see a number of computer forensics tools there.

For example, you see RAM forensics tools, and you see something that’s already familiar to you. I’m in volatility there. There are also some other tools that may be familiar to you too. Let’s go to Forensic Imaging Tools, and you see something called DCFLDD. This is a forensic version of DD. Now let’s choose Forensic Suites, and you see Autopsy there. There are also many other computer forensic tools already built into this operating system. What’s nice about a live cd like this, is that you don’t really have to worry about installing these individual computer forensic software tools on your own.

It all comes with your operating system, and when it’s time for you to conduct your computer forensics investigation, all you have to do is to put into this live CD. There are many more things to explore in this live CD called Kelly, and I hope you’ll sp

Understanding disk drives

Hard disk drives are widely used today and provide a relatively cheap way of storing data. As a computer forensics specialist, you often have to recover data from hard disk drives. And therefore, it is essential to understand how they work to do your job effectively as a computer forensic specialist. Let’s get started by learning some terminology. There are multiple disks inside your hard disk drive. Those are called platters. On both sides of the platters, you have read/write heads.

There’s one read/write head on one side. There’s another one on the other side, as you can see in the picture. This platter is divided into tracks and sectors for addressing purposes. As you can see in the picture, tracks are concentric circular patterns on which data is written. Sectors are evenly divided sections of a track, which typically holds 512 bytes of data. The reason why your platter is divided into tracks and sectors is that they allow you to locate a piece of information when there is a need.

Based on the track number and the sector numbers, you’ll know exactly where the data is stored, and that information is stored in a database so that when there’s a need to locate that piece of information, you can always come back to that location. Cylinder is a collection of tracks at the same location on multiple platters, as you can see in the picture. The total capacity of a hard disk drive can be decided by the number of cylinders, sectors and heads.

For example, if you have 1,000 cylinders, 32 sectors and 100 heads, the total capacity of the hard disk drive can be computed by multiplying all these three numbers. Remember that each sector consists of 512 bytes. That’s why we multiply 512 at the end of the process. Therefore, in this case, you have 1.6 gigabyte of capacity based on the number of cylinders, sectors and heads.

Understanding concepts such as sectors and clusters, and how data is stored using a disk geometry are very useful, especially when investigating a case in which data is hidden by taking advantage of this knowledge.

Understanding the master boot record (MBR) Once your bios selects a disk drive to boot from, the master boot record on your disk is then accessed. The disk you are booting from contains the MBR or Master Boot Record, and MBR keeps track of information on partitions on a storage device such as locations of your partition, the sizes of your partition. The boot level status of your partition because at least one of your partitions has to be set up as bootable so that you’re computer can boot.

The disk your booting from can also contain a piece of software called boot loader. The boot loader is the program that displays the menu screen you see when you start your computer, and typically it gives you options for different operating systems. For example, it could display a message, that allows you to select either Windows seven, or Linux operating system. Your MDR is located in the first sector of a storage device.

There is some software pieces you should be aware of regarding MDR. One of the software you can use to manipulate your MBR is called fdisk. There is also a graphical user interface version of fdisk which is called gparted. Grub is an example of a boot loader. Typically installed by your LENOX operating system. In the second part of this lesson, you’ll have a chance to use GParted. In this part of our lesson, we’re going to learn how to use GParted.

GParted is a live CD, which means you can boot into a Linux operating system that only has GParted. Let’s start the operating system by pressing the Enter key. Here we’ll just select, don’t touch keymap, press Enter, and we’ll choose the default value, press Enter for the language, and then again, we’ll choose the default value. Which is zero, as I told you, G Parted can be used to manage your partition table.

Currently on the hard drive of this virtual machine, I don’t have any operating system on it. Not even a partition table which is why we’re going to create a partition table using G Parted. Go to Device, choose Create Partition Table. We’ll use the Default Partition Table type which is MS-DOS, and click on Apply. Once you create your partition table, now you’re able to create new partitions. We’ll go to New, click on it, and we’ll create a new Windows partition first. We’ll create it as a primary partition, we’ll use our file type as NTFS, and we’ll name it as Windows, and then we’ll adjust the partition size. In this case we’ll make it half of the entire disk. We are ready to click on add. As you can see, now we have a new NTFS windows partition. Next, we’ll create a Linux partition by clicking on new again, and we’ll use up the rest of this space. We’ll still use primary partition.

This time will use file system ext4. Which is a Linux file format, and then we’ll name the partition as Linux, and then click on add. As you can see, now you have two partitions, one Windows, the other Linux. This doesn’t change your partition table until you click on Apply. Let’s click on Apply and see what happens. It shows you a warning message, are you sure you want to apply the pending operations? Simply choose Apply. All operations successfully completed. Click on Close. Now your partitioning process is over.

So based on our lesson, we now know G parted can be used to create new partitions as well as a new partition table. The sole purpose of G parted because it’s a live cd, it’s boot into a Linux distribution that only has gparted, and then help you with partitioning tasks, as well as manipulating your partition table. Gparted is another very useful tool, in the toolbox of computer forensics specialists
Suggested courses to watch next

Hex editor analysis of a file with a wrong extension

Criminals often simply change the extensions of files to mislead computer forensic investigators. With a changed file extension, it is difficult to know exactly what the original file type is. To find out the true type of a file, you could use a hex editor such as Hex Workshop. We have a mystery file here called secret.jpg. And I’ll try to open it with the Windows built-in Photo Viewer. Click on Preview. The Windows Photo Viewer is complaining because this is not a picture file, and we know something’s not right with the file extension. So let’s close the Photo Viewer. And then we’ll open this in a hex editor this time, Hex Workshop. So I’m going to open Hex Workshop here, right-click, Run as Administrator. Choose file under File > Open and we see secret.jpg there. Select it. Click on Open. Pay attention to the beginning bits of the file. These are all in hex numbers. These beginning bits of file is called the file signature. The file signature of this file is 50, 4B, 03, 04, 14, 00, 06, 00.

There is a clue here. It says that .xml here, so we know somehow, it’s related to XML, but we don’t know exactly what file type this is. For later use, let’s simply copy the file signature. We’ll go to Edit, and then select Copy. Let’s close Hex Workshop. You can put together a table of file signatures and these tables of file signatures are called magic tables. There are some magic tables available online, so we will go to a website that has a magic table of file signatures.

Here is your website, featuring a magic table. I’ll just do a simple search. Press Ctrl+F together. If you remember, we copied our file signature. So all we have to do in this case is a search by pasting the file signature in the search window. Ctrl+V. In the magic table, there are spaces after every two hex digits. Therefore, for this search to work, I have to add some spaces, like this.

As soon as I do that, there is a match. So now I know, it’s either DOCX, PPTX or XLSX. So we’ll try to change the file extension and see what happens. So we will start with DOCX. Minimize the window. And I’m going to simply copy this file to my desktop. And then change the file extension to docx. And it’s asking whether I really want to do this, and the answer is yes.

Now, let me try to open this file. And the file opens successfully, which means that this is the right file type, and it says this is a test. Did you enjoy this experience? Based on this, now you should be able to find out the true types of any files out there whose file extensions might have changed it.

Hex editor analysis of a bit-shifted file

Many times, criminals simply shift bits in a file to hide a secret and to mislead computer forensics investigators. In this case, to reveal the secret, all you have to do is to shift the bits back to their original positions. To do this, you can use a hex editor such as Hex Workshop. We have a mystery file here called secret.txt. Let me try to open this using a simple text editor, click on Open.

I don’t know what happened to the original text, but in this case, my strong suspicion is that the bits in the file have been shifted. To know whether this is true, I’m going to open this file in Hex Workshop. I’ll first close this file. Start Hex Workshop. And go to File. Choose Open and select secret.txt. And click on Open. To shift the bits in the file, you have to make some changes in the configuration of Hex Workshop. First of all, go to Options. Under options, choose Toolbars. And then select Data Operations and enable it and click on Open.

As soon as you do that, now you have a button to shift bits to the right or to the left. We’ll try to shift the bits to your left first. Click on this icon. And then click on OK. Nothing happened. Now let’s try to shift the bits to your right. Close the file, select no to this message. And i’m going to open the file again. Click on Open. Choose secret.txt, click on Open.

Now I’ll try to shift the bits to my right. Click on OK. As you can see the secret message is now revealed. It was, this is a test. Shifting bits is one of the most basic techniques you can use to hide your secret. Maybe you can use this technique to keep your secret diary.

courses recommend is Foundations of Programming Web Security with Kevin Skoglund. Network security is a newly emerging field of computer forensics. In this course, we’ll give you very good exposure to network security. Another course I recommend is up and running with Ubuntu Desktop Linux, with Scott Simpson.

As you saw in my video there’s a lot of need for computer forensics specialists. To know more about Linux operating systems. Many tools you use as a computer forensics specialist, are Linux based. Finally I recommend, Python 3 Essential Training with Bill Weinman. Many of the computer forensics tools allow you to write scripts to automate some of the mundane computer forensics tasks. Knowing a language like Python will help you a lot as a computer forensics specialist.

Foundations of Programming: Web Security

Security Overview

What is security?

Why security matters

What is a hacker?

Total security is unachievable

Get in the security mind-set

Write a security policy

General Security Principles

Least privilege

Simple is more secure

Never trust users

Expect the unexpected

Defense in depth

Security through obscurity

Blacklisting and whitelisting

Map exposure points and data passageways

Filtering Input, Controlling Output

Regulating requests

Validating input

Sanitizing data

Labeling variables

Keeping code private

Keeping credentials private

Keeping error messages vague

Smart logging

The Most Common Attacks

Cross-site scripting (XSS)

Cross-site request forgery (CSRF)

SQL injection

URL manipulation

Faked requests and forms

Cookie visibility and theft

Session hijacking

Session fixation

Remote system execution

File-upload abuse

Denial of service

Encryption and User Authentication

Password encryption

Salting passwords

Password requirements

Brute-force attacks

Using SSL for login

Protecting cookies

Regulating access privileges

Handling forgotten passwords

Multi-factor authentication

Other Areas of Concern

Credit card payments

Regular expression flaws

Conversions and transformations

Buffer overflows

Source code managers

Database security

Server security

Analysis, Interp retation and Identification

Authentication of recordings – In many criminal cases, the authenticity of the recording and the content of the recording may be called in to question. Forensic audio and video experts can examine a variety of characteristics of the audio or video recording to determine whether the evidence has been altered. This includes confirming the integrity (verification) of the recording, as well as authenticating that the content of the image or audio is what it purports to be. If the am bient sound present on an audio recording changes abruptly, this could indicate that the environment where the recording took place suddenly changed. The volume and tone of a voice on the recording can provide clues as to distance and spatial relationships within a scene.
Lighting conditions can be examined to estimate the time of day or environmental conditions at the time of the recording. Technical details may also confirm information about a recording. For instance, an unnatural waveform present in the audio or video signal may indicate that an edit has been made. A physical identifier may be present in the signal on magnetic tape that can identify it as a copy or indicate that it was recorded on a particular device. Sometimes, a perpetrator will try to destroy audio or video evidence; however, using these methods, the recording can be analyzed to determine what occurred. In the famous Watergate investigation, a great deal of effort was spent examining an 18 ½ -­- minute gap in an audio recording of President Richard Nixon discussing the Watergate break in with his Chief of Staff.
Analysis of the audio signature [1] left behind in this erased portion allowed investigators to determine which White House tape recorder made the erasure and how many different eras ures were made. Examining the level of AC hum recorded to tape even provided details on whether the recording took place in Nixon’s secretary’s office or in another location. And n ew techniques are constantly being developed.
A unique approach employed in the United Kingdom examines the low -­- frequency hum captured when a recorder is plugged into an electrical outlet or near a strong electrical current. This frequency will alternate s lightly depending on the power load experienced at that time of day. By examining minute fluctuations of this frequency, analysts can determine whether a recording took place at the stated time and whether the recording is continuous and unaltered. This te chnique has been in use in the UK for over eight years; in the United States, this technique is still being researched and databases are being built for comparison.