Forensic computing is the application of science to the investigation and prosecution of crime, or the resolution of conflict, involving computers.
What is digital evidence?
Digital evidence is any data stored or transmitted using a computer that supports or refutes a theory of how an offence occurred or that address critical elements of the offense such as intent or alibi.
Open computer systems store evidence in...
Network computer systems store evidence in...
Embedded computer systems store evidence in...
Using a computer leaves a (messy) trail of activity that...
...corresponds to activity in the real world.
The processor consists of...
...control unit, registers, alu.
The control unit is responsible for...
...fetching instructions from main memory and determining their type.
The processor contains a small number of registers. Some registers are special-purpose, others are general-purpose. List 3 special purpose registers.
The stack pointer, the link register and the program counter
Describe the function of the Arithmetic and Logical Unit (ALU)
The Arithmetic and Logical Unit (ALU) performs simple arithmetic operations on two input registers, putting the result in an output register.
What is memory for?
The memory stores programs and data.
The memory is divided into cells, each of which has a unique address. Manufacturers have standardized on a cell containing 8 binary digits (or bits) called binary terms (or bytes).
Often, an extra bit is stored with each byte. This bit is chosen so that the total number of bits is either: even or odd. The bit is used for error detection. What is this extra bit commonly known as?
Base 10 (Decimal) What are the decimal digits?
0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Base 2 (Binary) What are the binary digits?
0 and 1
Base 8 (Octal) What are the octal digits?
0, 1, 2, 3, 4, 5, 6, 7
Base 16 (Hexadecimal) What are the hexadecimal digits?
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A,B,C,D,E,F
Many computer systems bootstrap their the operating system in three steps. List them.
1. the first stage boot loader is run from BIOS ROM; 2. the second stage boot loader is loaded from disk and run; 3. the operating system is loaded from disk and run.
A computer system executes simple machine instructions in a never-ending fetch-decode-execute cycle� the heartbeat� of the computer. List the five steps.
(1) IF fetches an instruction from memory; (2) ID decodes an instruction; (3) EX executes an instruction using the ALU; (4) MR makes a memory reference (if necessary); (5) WB writes back a register (if necessary).
A magnetic disk comes in a hermetically sealed container. A tiny amount of dust can disrupt its operation.
Spindle, platter, surface, head, track, sector.
Many magnetic disk interfaces are variants of ATA. Variant: Serial ATA (SATA). Alternative: SCSI. What are ATA and SCSI?
Advanced Technology Attachment, Small Computer Systems Interface
A magnetic disk is *read* by moving a head to a given sector address and ? its magnetism.
A magnetic disk is *written* by moving a head to a given sector address and ? its magnetism.
Magnetic disks may use CHS or LBA addressing. What are CHS and LBA?
Optical disks. A spiral of ? and ? runs from the centre to the edge.
Pits and Lands.
Most optical disk interfaces are variants of the ATAPI. What is ATAPI?
Advanced Technology Attachment Packet Interface
Prerecorded optical disk: Pits are ?; lands are ?
Writable optical disk: Pits are ?; lands are ?
dark spots of dye, transparent ones
Rewritable optical disk: Pits are ?; lands are ?
amorphous spots of alloy, crystalline ones.
Optical Disk Reading: A low-powered laser reflects differently above a pit and a land.
Optical Disk Writing: A high-powered laser creates a dark spot of dye (recordable). A high-powered laser creates an amorphous spot of alloy; a medium-powered laser creates a crystalline one (rewritable).
Memory cards provide a large amount of *hidden* [?] storage that often provides vital evidence in an investigation.
memory card organisation
Memory cards have a variety of interfaces. Which of these are memory cards? Compact Flash (CF). Memory Stick Extreme (MSX). Secure Digital (SD). Subscriber Identity Module (SIM). Small Outline Dual Inline Memory Module (SODIMM).
CF, MSX, SD
The controller manages access to the flash memory. The flash memory is a form of EEPROM. What is EEPROM?
Electrically Erasable Programmable Read Only Memory
Memory Card Reading. The controller: ?
(1) reads a page from the flash memory into a buffer. (2) reads the data from the page in the buffer.
Memory Card Writing. The controller: ?
(1) reads a block from the flash memory into a buffer. (2) erases the block in the flash memory. (3) modifies the block in the buffer. (4) writes the block from the buffer to the flash memory.
After a certain number of erasures, a block of flash memory becomes unreliable. What does the controller use to ensure that blocks are used evenly?
Static wear-levelling: ?
writes new data to the least-recently-used block.
Dynamic wear-levelling: ?
moves existing data to the least-recently-used block.
What is file metadata?
Metadata is data about data e.g. File permissions, size, file date & times.
What is the file M-time?
The time at which the data was last modified.
What is the file A-time?
The time at which the file was last accessed.
What is the file C-time?
The time at which the file was created (Win) or changed (Unix).
Give an example of a Windows file path.
Give an example of a Unix file path.
One partition scheme is MBR. What is MBR?
Master Boot Record
How many partitions can be created using MBR?
Name then two types of MBR Partition.
Primary and extended.
What is the difference between primary and extended partitions?
Extended partitions can contain additional partitions.
How is the FAT file system laid out on disk?
Reserved area (MBR), FAT area (two FATs), data area (starts with root).
Explain a FAT directory entry.
How many and what type are the block pointers in an inode?
Direct pointers = 12, single, double and triple indirect pointers = 1 each.
What does an inode contain?
File metadata, block pointers.
How is the ext3 file system laid out on disk?
Boot area, a number of block groups.
What does a block group consist of?
A superblock, a group descriptor, a block bitmap, an inode bitmap, the inodes, the data blocks.