Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • DCOM 150 - Week 2

    Încărcat de

    Babs Buneez
    57 vizualizări72 pagini
    This document provides an overview of topics covered in Week 2 of the DCOM 150 Digital Forensics I course. It discusses identifying components of computing systems, the FAT file system, basic computer operation including components and ports, and electrostatic discharge safety. The document contains diagrams, examples, and problems to help explain these concepts in digital forensics.

    Descriere originală:

    DCOM 150 - Week 2

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PPTX, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    This document provides an overview of topics covered in Week 2 of the DCOM 150 Digital Forensics I course. It discusses identifying components of computing systems, the FAT file system, basic computer operation including components and ports, and electrostatic discharge safety. The document contains diagrams, examples, and problems to help explain these concepts in digital forensics.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PPTX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    57 vizualizări72 pagini

    DCOM 150 - Week 2

    Încărcat de

    Babs Buneez
    This document provides an overview of topics covered in Week 2 of the DCOM 150 Digital Forensics I course. It discusses identifying components of computing systems, the FAT file system, basic computer operation including components and ports, and electrostatic discharge safety. The document contains diagrams, examples, and problems to help explain these concepts in digital forensics.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PPTX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 72

    DCOM 150

    Digital Forensics I
    Week 2

    DCOM 150 Week2 1


    Topics
    Review
    Part I
    Identifying the type of computing system at the crime
    scene or during a search warrant
    This section describes identifying external components
    of the PC
    Part II
    FAT File System (Part I)

    DCOM 150 Week2 2


    Review
    Definition of computer forensics
    Bits ( 0 or 1)
    Hexadecimal ( group of 4 bits)
    Bytes or a character ( group of 8 bits)
    ASCII
    Hex Editor

    DCOM 150 Week2 3


    Seizing Digital Evidence at the
    Scene
    Electronic Crime Scene Investigation by
    NIST ( posted in Blackboard)
    Initial Evidence Processing Form
    Documentation
    Use Digital Camera to preserve evidence scene
    Draw/Diagram the computer setup
    Document the components present at the scene

    DCOM 150 Week2 4


    Basic Computer Operation
    Information is processed by
    the brain & active operator
    in the computer system

    Central
    Input Device Processing Output Device
    Unit (CPU) Computer sends responses
    Information is entered to commands & results of its
    into the computer thru processing to these devices
    input devices. Memory/Storage
    Storage area for all computer
    information & workspace for
    computer operations
    DCOM 150 Week2 5
    Basic Computer Operation

    MICROPROCESSOR

    Central Processing
    Input Device Output Device
    Unit (CPU)
    Keyboard Monitor
    Mouse Printer
    Scanner Memory/Storage Plotter
    Modem Modem
    Thumb drive RAM Thumb Drive
    (SIMM/DIMM)
    Disk Drive
    DCOM 150 Week2 6
    Functions of a computer

    DCOM 150 Week2 7


    Computer Components Internal
    Components -Motherboard

    DCOM 150 Week2 8


    Computer Components
    Memory Sticks

    DCOM 150 Week2 9


    Computer Components Inside

    DCOM 150 Week2 10


    PC External Components

    DCOM 150 Week2 11


    PC Cases -Front

    DCOM 150 Week2 12


    DVI Port

    Digital Visual Interface (DVI) is a video


    display

    DCOM 150 Week2 13


    VGA Port
    Identifying Ports on the back of the computer

    DCOM 150 Week2 14


    Identifying Ports on the back of
    the computer

    DCOM 150 Week2 15


    Identifying Ports on back of a
    computer

    DCOM 150 Week2 16


    Problem # 1 Identify Ports

    DCOM 150
    17 Week2
    Answers to Problem, # 1
    1 PS2/Mouse Port
    2 PS2/Keyboard port
    3 USB port
    4 Printer port
    5- Audio IN ( Line IN); Audio Out (Line
    OUT), Mic
    6- VGA port
    7- Serial Port
    DCOM 150 18 Week2
    Problem #2 Identify Ports

    DCOM 150 19 Week2


    Answers Problem # 2
    1 PS2/ Mouse port
    2- Parallel Port
    3- Firewire (IEEE 1394) port
    4. LAN (Ethernet) port
    5,6,7 Audio In, Audio out, Microphone
    8, 9 USB ports
    10. VGA port
    11. Serial Port
    12. PS2/Keyboard

    DCOM 150 Week2


    20
    Basic Evidence Report

    DCOM 150 Week2 21


    ESD
    Electro- Static- Charge

    How Not to Fry Your Computer Components

    DCOM 150 Week2 22


    File System ( Part I)

    DCOM 150 Week2 23


    Bytes Vs bits
    Byte group of 8 bits
    Bits binary representation
    1KB 1024 Bytes ( ~ 1000 bytes)
    1MB 1024KB ( ~ 1,000,000 bytes)
    1GB 1024MB ( ~ 1,000,000,000 bytes)

    CFOR101 Week3 24
    CFOR101 Week3 25
    What is a File System?
    A system for organizing directories and
    files, generally in terms of how it is
    implemented in the disk operating system
    A system for organizing and cataloguing
    files on a data storage media, comparable to
    the index in a book
    A way of organizing directories and files on
    a disk drive.
    CFOR101 Week3 26
    Examples of File Systems
    FAT-12
    MS-DOS, Floppy Disks
    FAT-16
    Windows 95
    FAT-32
    Windows 98
    NTFS
    Windows 2000, NT, XP,Vista, Windows 7, 8
    and 10
    CFOR101 Week3 27
    Examples of File Systems contd..
    Ext 2 and Ext 3
    Linux operating systems
    UFS1 and UFS2
    Unix-File System (UFS)
    HFS and HFS+ (introduced on Mac OS 8.1)
    Mac
    Hierarchical file system

    CFOR101 Week3 28
    Analysis of FAT -File
    System

    CFOR101 Week3 29
    How Disk store data
    How data is physically stored on a disk

    How the OS logically views that data

    CFOR101 Week3 30
    How Data Is Physically Stored
    on a Disk

    CFOR101 Week3 31
    How Data Is Physically Stored
    Floppy Disk
    In concentric circles (tracks or cylinders)
    Each track is divided into sectors

    Each sector holds 512 bytes of data

    CFOR101 Week3 32
    3 floppy disk structure -
    Example
    Data is written on two sides
    Tracks 80/side
    18 sectors/track
    Sector size 512 bytes
    Total sectors = 80x18x2=2880
    Total size = 2880 x 512 = 1.44 MBytes

    CFOR101 Week3 33
    Disk Layout
    BOOT RECORD (Sector)
    SYSTEM
    AREA
    FAT (2 copies)

    ROOT DIR

    DATA FILES
    AREA STORAGE
    AREA

    CFOR101 Week3 34
    Formatting Process for a Disk
    Creates tracks and sectors

    Creates boot record

    Creates two copies of file allocation table


    (FAT)

    Creates root directory

    CFOR101 Week3 35
    Boot Record
    First sector of the disk (Sector 0, track 0)

    Stores basic information about how the disk


    is organized

    Volume label

    File system ID (FAT 12, FAT 16 or FAT 32)

    CFOR101 Week3 36
    Disk Logical Parts(DOS)
    Defined for use by one OS only
    BOOT RECORD - contains the volume bootstrap
    loader program & disk parameter block.
    FAT - File Allocation Table (2 Copies) - is a map used by
    the OS to find parts of files (called clusters or allocation
    units) on the disk.
    ROOT DIR - First (Starting) Directory on a disk.
    FILES STORAGE AREA - where all the parts of
    files are stored.

    CFOR101 Week3 37
    Disk File System

    CFOR101 Week3 38
    Data Area

    Reserved Area Data area

    Boot FAT Root


    record area Directory Sector #
    Cluster2

    CFOR101 Week3 39
    Cluster Definition
    Cluster - defined as a group of sectors represented by
    one entry (pointer) in the FAT
    Also called an Allocation Unit
    Can be just one sector or more than one
    each entry in the FAT points to a cluster
    once a cluster is assigned to a file, all the sectors in that
    cluster are used by that file.

    CFOR101 Week3 40
    Root Directory Table
    Lists all files and subdirectories assigned to
    this table

    Filename and extension

    Time and date of creation or last update

    File attributes

    CFOR101 Week3 41
    Partial Directory Entries

    name ext size date time cluster attributes


    Test 0 2/12/16 7:00 pm 10 dir
    myfile doc 1233 2/13/16 8:00 pm 11 arc

    CFOR101 Week3 42
    Data Area
    Finding the first cluster
    First cluster starts at Cluster 2
    Cluster 2 is the data area
    The reserved and FAT do not use cluster
    addresses

    CFOR101 Week3 43
    Data Area contd..
    Cluster 2 starts after the root directory.

    CFOR101 Week3 44
    Metadata
    "data about data", is information that
    describes another set of data.
    A common example is a library catalog
    card, which contains data about the contents
    and location of a book:
    When was created, accessed and/or
    modified
    File dates, sizes and attributes
    CFOR101 Week3 45
    FAT
    FILE
    ALLOCATION
    TABLE
    CFOR101 Week3 46
    File System
    File system
    Road map to data on a disk
    Determines how data is stored on disk

    CFOR101 Week3 47
    FAT
    File Allocation Table
    Defined as a map or linked list used to locate or link the
    remaining clusters of a file on a disk.
    DOS uses the starting cluster # to find the first cluster in the
    File Storage Area.
    DOS uses the FAT to find the remaining clusters of the file in
    the File Storage Area.

    CFOR101 Week3 48
    File Allocation Table (FAT)
    Lists location of file segments (clusters) on
    a disk in a one-column table
    Width of each entry in the column is 12 bits

    Lists how each cluster on the disk is


    currently used

    CFOR101 Week3 49
    How OS uses the FAT and
    Directory Table Example 1
    Partial Directory
    FAT Cluster 5
    Starting File
    Cluster 6
    Cluster Next
    File name Cluster # size Cluster#
    #
    Hello.txt 54 123 5 EOF
    6 9
    9 EOF
    1. OS reads the file name and starting
    cluster number
    Cluster 9

    Cluster size = 512 Bytes

    CFOR101 Week3 50
    How OS uses the FAT and Directory
    Table Example 1 contd
    Partial Directory
    FAT Cluster 5
    Starting File
    Cluster 6
    Cluster Next
    File name Cluster # size Cluster#
    #
    Hello.txt 5 123 5 EOF
    6 9
    9 EOF
    2. OS retrieves the contents of cluster 5 on
    the disk Cluster 9

    CFOR101 Week3 51
    How OS uses the FAT and Directory
    Table Example 1 contd..
    Partial Directory
    FAT Cluster 5
    Starting File
    Cluster 6
    Cluster Next
    File name Cluster # size Cluster#
    #
    Hello.txt 5 123 5 EOF
    6 9
    9 EOF
    3. OS returns to FAT, looks at the 5th cluster in the FAT, Cluster 9
    EOF

    CFOR101 Week3 52
    How OS uses the FAT and
    Directory Table Example 2
    Partial Directory
    FAT Cluster 10
    Starting File Cluster 11
    Cluster Next
    File name Cluster # size Cluster#
    #
    sam.txt 10 1234 10 11
    11 12
    12 EOF
    1. OS reads the file name and starting
    cluster number
    Cluster 13

    Cluster Size = 512 Bytes

    CFOR101 Week3 53
    How OS uses the FAT and Directory
    Table Example 2 contd
    Partial Directory
    FAT Cluster 10
    Starting File Cluster 11
    Cluster Next
    File name Cluster # size Cluster#
    #
    sam.txt 10 1234 10 11
    11 12
    12 EOF
    2. OS retrieves the contents of cluster 10 on
    the disk Cluster 13

    CFOR101 Week3 54
    How OS uses the FAT and Directory
    Table Example 2 contd
    Partial Directory
    FAT Cluster 10
    Starting File Cluster 11
    Cluster Next
    File name Cluster # size Cluster#
    #
    sam.txt 10 1234 10 11
    11 12
    12 EOF
    3. OS returns to FAT, looks at the 10th cluster in the FAT,Cluster 13
    and reads 11, which is the next segment of the file in
    cluster 11

    CFOR101 Week3 55
    How OS uses the FAT and Directory
    Table Example 2 contd
    Partial Directory
    FAT Cluster 10
    Cluster 11
    Starting File Cluster Next
    File name Cluster # size Cluster#
    #
    sam.txt 10 1234 10 11
    11 12
    12 EOF
    3. OS retrieves the data from cluster 11 on the disk Cluster 13

    CFOR101 Week3 56
    How OS uses the FAT and Directory
    Table Example 2 contd
    Partial Directory
    FAT Cluster 10
    Starting File Cluster 11
    Cluster Next
    File name Cluster # size Cluster#
    #
    sam.txt 10 1234 10 11
    11 12
    12 EOF
    3. OS turns to FAT and reads the content in cluster 11 Cluster 13
    and it reads cluster 12

    CFOR101 Week3 57
    How OS uses the FAT and Directory
    Table Example 2 contd
    Partial Directory
    FAT Cluster 10
    Starting File Cluster 11
    Cluster Next
    File name Cluster # size Cluster#
    #
    sam.txt 10 1234 10 11 Cluster 12
    11 12
    12 EOF
    4. OS retrieves the data from cluster 12 on the disk Cluster 14

    CFOR101 Week3 58
    How OS uses the FAT and Directory
    Table Example 2 contd.
    Partial Directory
    FAT Cluster 10
    Starting File Cluster 11
    Cluster Next
    File name Cluster # size Cluster#
    #
    sam.txt 10 1234 10 11 Cluster 1
    11 12
    12 EOF
    5. OS turns to FAT and reads the content in cluster 12 Cluster 14
    and it reads EOF.

    CFOR101 Week3 59
    How OS uses the FAT and
    Directory Table Example 3
    Partial Directory
    FAT Cluster 5
    Starting File
    Cluster 6
    Cluster Next
    File name Cluster # size Cluster#
    # Cluster 7
    Hello.txt 5 1234 5 7
    6 0
    7 9
    8 0
    9 EOF
    Cluster 9
    1. OS reads the file name and starting
    cluster number

    CFOR101 Week3 60
    How OS uses the FAT and Directory
    Table Example 3 contd..
    Partial Directory
    FAT Cluster 5
    Starting File
    Cluster 6
    Cluster Next
    File name Cluster # size Cluster#
    # Cluster 7
    Hello.txt 5 1234 5 7
    6 0
    7 9
    8 0
    9 EOF
    Cluster 9
    1. OS retrieves the contents of cluster 5 on
    the disk

    CFOR101 Week3 61
    How OS uses the FAT and Directory
    Table Example 3 contd..
    Partial Directory
    FAT Cluster 5
    Starting File
    Cluster 6
    Cluster Next
    File name Cluster # size Cluster#
    # Cluster 7
    Hello.txt 5 1234 5 7
    6 0
    7 9
    8 0
    9 EOF
    Cluster 9
    2. OS returns to FAT, looks at the 5th cluster
    in the FAT, and reads 7, which is the next
    segment of the file in cluster 7
    CFOR101 Week3 62
    How OS uses the FAT and Directory
    Table Example 3 contd..
    Partial Directory
    FAT Cluster 5
    Starting File
    Cluster 6
    Cluster Next
    File name Cluster # size Cluster#
    # Cluster 7
    Hello.txt 5 1234 5 7
    6 0
    7 9
    8 0
    9 EOF
    Cluster 9
    3. OS retrieves the data from cluster 7 on the
    disk

    CFOR101 Week3 63
    How OS uses the FAT and Directory
    Table Example 3 contd..
    Partial Directory
    FAT Cluster 5
    Starting File
    Cluster 6
    Cluster Next
    File name Cluster # size Cluster#
    # Cluster 7
    Hello.txt 5 1234 5 7
    6 0
    7 9
    8 0
    9 EOF
    Cluster 9
    4. OS turns to FAT and reads the content in
    cluster 7 and it reads cluster 9

    CFOR101 Week3 64
    How OS uses the FAT and Directory
    Table Example 3 contd..
    Partial Directory
    FAT Cluster 5
    Starting File
    Cluster 6
    Cluster Next
    File name Cluster # size Cluster#
    # Cluster 7
    Hello.txt 5 1234 5 7
    6 0
    7 9
    8 0
    9 EOF
    Cluster 9
    5. OS retrieves the data from cluster 9 on the
    disk

    CFOR101 Week3 65
    How OS uses the FAT and Directory
    Table Example 3 contd..
    Partial Directory
    FAT Cluster 5
    Starting File
    Cluster 6
    Cluster Next
    File name Cluster # size Cluster#
    # Cluster 7
    Hello.txt 5 1234 5 7
    6 0
    7 9
    8 0
    9 EOF
    Cluster 9
    6. OS turns to FAT and reads the content in
    cluster 7 and it reads EOF

    CFOR101 Week3 66
    FRAGMENTED DISK
    FRAGMENTED DISK
    1 2 3 4 5
    CYL 0 FILE C FILE 2 FILE A FILE B FILE B
    6 7 8 9 10
    CYL 1 FILE C FILE A FILE D FILE G FILE D
    11 12 13 14 15
    CYL 2 FILE E FILE 6 FILE E FILE F FILE E
    16 17 18 19 20
    CYL 3 FILE 7 FILE E FILE F FILE G FILE D
    21 22 23 24 25
    CYL 4 FILE 1 FILE 4 FILE A FILE 3 FILE 5
    26 27 28 29 30
    CYL 5 FILE 4 FILE 4 FILE 1 FILE 4 FILE 3
    31 32 33 34 35
    CYL 6 FILE 6 FILE E FILE 6 FILE 7 FILE E

    CFOR101 Week3 67
    NO FRAGMENTATION
    COMPLETELY DEFRAGMENTED DISK
    1 2 3 4 5
    CYL 0 FILE A FILE A FILE A FILE B FILE B
    6 7 8 9 10
    CYL 1 FILE C FILE C FILE D FILE D FILE D
    11 12 13 14 15
    CYL 2 FILE E FILE E FILE E FILE E FILE E
    16 17 18 19 20
    CYL 3 FILE E FILE F FILE F FILE G FILE G
    21 22 23 24 25
    CYL 4 FILE 1 FILE 1 FILE 2 FILE 3 FILE 3
    26 27 28 29 30
    CYL 5 FILE 4 FILE 4 FILE 4 FILE 4 FILE 5
    31 32 33 34 35
    CYL 6 FILE 6 FILE 6 FILE 6 FILE 7 FILE 7

    CFOR101 Week3 68
    Demo

    CFOR101 Week3 69
    Review of File System

    CFOR101 Week3 70
    Ref Brian Carrier
    Summary
    Identify PC external components
    Overview of File system
    FAT file system
    How FAT file system stores Data?

    CFOR101 Week3 71
    Lab #2
    Lab 2a Documenting initial evidence
    processing Form
    Lab 2b FAT File System ( Part I)

    DCOM 150 Week2 72

    S-ar putea să vă placă și