Digital Forensics method to analyze various data hiding spaces in NTFS file system
|
|
- Sheena Richardson
- 6 years ago
- Views:
Transcription
1 Digital Forensics method to analyze various data hiding spaces in NTFS file system Tejpal Sharma Assitant Professsor C.S.E Deptt, CGC-COE, Landran Harleen Kaur Sahota Masters of Technology Department Computer Science and Engineering Abstract: NTFS is a file system which restores and manages the important data. It is a common file system in Windows Operating System. A suspect hides the data in these files so that they are not accessible to anyone. In this paper a technique is proposed which will be helpful to analyze the storage media having NTFS file system. In this we will check the hard disk for the hidden data in the boot sector and copy of boot sector and also to analyze the slack space on the disk for hidden data. And, this will also check here for the possibility of the hidden data in the boot sector file of the partition and analysis of deleted files. It will help in cyber crime cases to collect the evidence and solve the cases. Keywords: Digital Forensic, ADS, NTFS, Master File Table, Boot Sector, Slack Space I. INTRODUCTION Computer forensics is a branch of forensic science that employs various analysis techniques to verify facts and obtain evidence related to computer crimes. Criminals try to hide the sensitive information so that even if their computers are retrieved by anyone, there is no proof that can be used against them. As a new kind of high-technology crime, the evidence of computer crime is stored and transmitted through the computers or webs. Computer forensic process is the process which is used to analyze the digital media like hard disk for the forensic process and then acquire the evidences from that media that may be helpful to solve the cyber crime case in which that hard disk involves.. There are various ways to hide the data in NTFS file system and analysis techniques that can be applied to detect and recover the hidden data. File system, can be used to hide data. The file system is used to manage these files present on disk. The computers store the data on hard disk using the suitable file system supported by operating system installed on the computer system. Data stored in the files is the main source of evidence in computer forensics II. OVERVIEW OF NTFS NTFS (New Technologies File System) is a primary file system available for Microsoft Windows operating systems. It is a file system which is an upgrade from FAT file system and offers better performance and reliability such as file encryption, disk quota and also provides higher level security to user. A file system manages files and folders, and the information needed to locate and access these items by local and remote users. NTFS is needed to organize and access information on a hard drive disk, optical media, diskettes, and other media. It is a special disk format designed for management safety features, such as web disk quota and file encryption. NTFS supports the managing function of encrypting files, and so it can provide a higher- level security guarantees to the users. The figure Organization of an NTFS Volume illustrates how NTFS organizes structures on a volume. [5] NTFS Boot Sector Master File Table File System Data Figure 1. Organization of NTFS Volume Master File Table Copy NTFS Boot Sector contains the BIOS parameter block that stores information about the layout of the volume and the file system structures, as well as the boot code that loads Windows Server MFT contains the information necessary to retrieve files from the NTFS partition, such as the attributes of a file. File System Data stores data that is not contained within the Master File Table. Master File Table Copy includes copies of the records essential for the recovery of the file system if there is a problem with the original copy. RES Publication 2012 Page 58 III. METHOD TO ANALYSE HIDDEN DATA IN NTFS Main aim is to get hidden data from the boot sector, copy of boot sector and from slack spaces in the disk. An additional thing in this technique is the analysis of files and folders according to their timing information.
2 Analysis of boot sector and copy of boot sector Analysis of Slack space 1(c) 1(d) data. Further analysis of these bytes can be used to collect evidence related to the crime. Values in categories C should be zero. If any nonzero value is detected in these bytes, it can be the data hidden by the criminals/attackers. It must be analyzed for the evidence collection process. Criminals cannot use category D byte ranges to hide their secret data. IV. Figure 2. Analysis of Hidden Data in NTFS ANALYSIS OF BOOT SECTOR AND COPY OF A. Boot sector analysis BOOT SECTOR According to the observation, each partition contains its first sector as boot sector. Size of boot sector is 512 bytes. These 512 bytes are divided into four categories for the analysis of hidden data in the boot sector. These categories are shown in Table 1.[16] Categories Analysis of deleted files Table 1 Categories according to byte ranges Byte Ranges A 14-15,16-20,22-23,32-35 B 24-25, C 28-31, 36-39, 65-67, 69-71, D All other remaining Bytes between (0-511) i. It is observed that when any change is applied on the category A bytes, it causes the file system to be invalid and make the partition inaccessible. ii. When any change is applied on bytes in category B, it does not effect on file system. iii. Any Change performed in the category C also does not affect the file system. iv. Any modification in category D causes the file system boot sector problem and creates disk partition inaccessible. Rules 1: 1(a) All the bytes in category A are reserved and unused bytes that should be 0 according to Microsoft and cant used for hiding data by criminals. 1(b) Bytes range in category B contains information about sector per track and number of heads respectively. These should contain only the numerical values. Any alphabetical value in this range is symptom of hidden B. Analysis of copy of boot sector: It is observed that there is a copy of boot sector stored on the disk partition at the last sector of partition. It also contains 512 bytes and same data as the boot sector. It is observed that any modification on the data of copy boot sector does not effect on the disk file system. It depicts that criminals can store their data in the copy of boot sector.[16] Rule 2: All the 512 bytes of copy of boot sector can be used to hide secret data. V. ANALYSIS OF SLACK SPACE Slack space is the space in the file system that remains unallocated or unused. It can be used to hide data. On the other hand, when partitions are created on the disk, then the space left unallocated at the end of disk is also known as slack space and named as disk slack space. There are also some other types of slack space that are described further. Three types of slack spaces are considered here: (i) Disk Slack space (ii) File system slack space (iii) File slack space A. Disk Slack space analysis Each new hard disk is divided into physical sectors. When that disk is divided into partitions, then some space left unallocated at the end of disk. This space is left behind the last partition. When any data editing is performed on the unallocated space, that does not affect the file system structure and is not detected by the operating system. This space is known as disk slack space. Rule 3: Disk slack space can be used to hide data. Analysis steps and extraction of data from disk slack space When partitions are created on the disk and then any file system is installed on them, some portion of the disk remains unallocated at the end of the disk while this process is RES Publication 2012 Page 59
3 performed. Because the disk is physically divided into sectors and when disk is formatted according to any file system, then disk is divided into logical drives. At the end of disk, some part may remain unallocated because of file system storage data structures and those unallocated sectors can be used by the criminals to hide their data. So, this technique is proposed to analyze these hidden spaces that are in the form of disk slack space. Steps: 1. First check total number of physical sectors (X) on the disk. 2. Then find the end sector number (Y) of the last partition on the disk. 3. If Z = 0, (Z=(X-1)-Y) then both the numbers are equal then no hidden data on the disk slack space. Otherwise follow the next step. 4. Disk slack space occurs and contains Z sectors. 5. Analyze the data on the disk slack space. B. File system Slack Space It is observed that when disk is divided into partitions, some memory is assigned to the disk volume in the form of sectors. While that volume is formatted according to file system (NTFS), some portion at the end of volume remains unallocated. NTFS partition is multiple of clusters (1 cluster= 8 sectors). So 0 to 7 sectors may left unallocated at the end of volume. These sectors are known as file system slack space. These can be used to store secret data by the criminals. Rule 4: Space left unallocated at the end of file system can be used to hide data. Steps to perform analysis: 1. Check the total number of sectors (FSS) is allocated to file system. 2. Divide the total number of sectors by the unit size of NTFS file system and calculate the remainder. 3. If remainder is 0, then there is no hidden data. 4. If remainder (R) is non-zero (0-7), then there may be hidden data on last R sectors. 5. Then compare copy of boot sector with boot sector, if both are same then check (R-1) sectors and follow the next step. Otherwise go to step Analyze those sectors if all have value zero then ok otherwise extract the data. 7. Analyze and collect hidden data from R sectors at the end of file system and extract hidden data from them. C. File Slack Space When any file is created, it is stored on the disk. NTFS file system uses cluster as its storage unit to store the file. Each cluster contains 8 sectors. When the size of file stored on the disk is less than 1 cluster (4096 bytes) or last allocated cluster of bigger file contains less than 4096 bytes, then some bytes remains unused on that cluster. So those bytes can be use to hide secret data. Any change on those bytes does not influence the formation of NTFS file system on that volume. Rule 5: File slack space in NTFS file system can be used to conceal data. Steps to perform analysis of File slack space: 1. It is known that boot sector is on the first sector of partition, so check the starting cluster of MFT 2. Then check the MFT entries and find the entry of file which is used for analysis. 3. Check whether the $data attribute is resident or nonresident. If resident then it means no hidden data. Otherwise further analysis is needed. 4. Find the value of allocated size to data space to file and actual data size of file. If both the values are same then there is no hidden data in the file data attribute content. If not equal then follow the next step. 5. Check the number of clusters allocated to store data and the starting address of external run. 6. Check whether all the bytes after the last byte of actual data are zero or not. If all remaining all bytes on that cluster are zero then there is no hidden data on that clusters. Otherwise analyze remaining bytes for hidden data. overlapped by the new MFT entry. RES Publication 2012 Page 60 VI. ANALYSIS OF DELETED DATA ON THE DISK When files are created by the operating system then these files are stored on the disk clusters and one entry of file is also added in the MFT list. It contains all information about the file. As the file is created, the allocation status of that cluster is changed from unallocated to allocate. And when the file is deleted then all data of file is not deleted from the disk. All data remains stored on the disk and only the allocation status of cluster changes from allocated to unallocated. This means that the clusters that were storing that file are now available for use again. But they contain the data on them. a) If file is deleted recently, then the MFT entry leftovers in the list. b) If new more files are created on the same volume after deletion of file then deleted file entry may be
4 Rule 4: a) Deleted file can be extracted from the information in master file table entry of file. b) If MFT entry is overlapped by the new entry, then it can be analyzed by cluster search of unallocated clusters on disk partition. VII. A. Scenario 1 EXPERIMENTAL RESULTS When criminal hide their data in the space on the hard disk which lies outside the limit of space that the user is allowed to use. Experimental : As per the analysis it has been founded that this space which is not allowed to user to use is known as disk slack space. According to the rule 3 this space can be used to hide data. So when analysis is performed on the tested data then disk slack space is detected in that case. Table 2 describes the results of analysis process. Table 2. of analysis process Operating System Microsoft Windows 7 File System ultimate NTFS Hard Disk Size: 500GB B. Scenario 2 When data is stored by the criminals/attackers in the free space left unallocated at the end of file system. Experimental : One partition of 4GB is created for the testing purpose. That partition is formatted according to NTFS files system.then the analysis is performed on the disk according to our second technique and according to rule 4 it is found that there is file system slack in the disk partition where someone can hide their data. Then results are collected from analysis process. Table 3. Analysis result of file system slack space Total number of sectors allocated to file system Unit Size File system slack space Data extracted from hidden area Cluster=8 sectors 7 Figure 4. image extracted from hidden area Partitions C:/, D:/, E:/, F:/ and G:/ Physical Sectors (X) End Sector of Last Partition (Y) Disk Slack Space (Z) sectors Then the analysis of these 2096 sectors is performed to check any hidden file in these sectors. These sectors start from According to rule no. 3, Sector contains an image file. C. Scenario 3 When criminals hide their secret data in the unused storage space left which is provided to store the file. Experimental : In this case the second section of technique is used where the third part of technique analyze the file slack space. It is found that the same problem in this case according to our rule 3. Then analysis is performed according to the steps defined in the analysis of file slack space method. F:/ drive of disk is used for analysis of file slack space. First it performs its check on the $boot at volume sector 0. And from that it get information about the starting address of $MFT. That is useful to find the MFT entry of test file (textfile.txt).on the base of which all analysis is done. Figure 3. Image found from hidden data Table 4. Analysis Result of file slack space Starting address of MFT Cluster no , sector no MFT entry of file Cluster no , sector RES Publication 2012 Page 61
5 textfile.txt no $DATA attribute Non-resident ( byte-8 of $data attribute is 01) Allocated size of attribute content Actual size of attribute content Starting address of external cluster 4096 bytes 1269 bytes 87042(decimal) hard disk of computer which can be used in crime investigation. Basically technique is divided into three parts. In the first part both the boot sector and the copy of boot sector are checked for the hidden data in them. Secondly data is analyzed in the hidden space which includes disk slack space, file system slack space, file slack space and deleted files.. In this different scenarios of crimes are created and on those scenarios proposed analysis methods are implemented and collect the results from those scenarios. As our analysis according to rule 5 it is found that there is some data on the file slack space of data content of textfile.txt file. The data is text data containing some information is shown on Table 5. This table contains information about the type of file and the size of file. And this also contains information about mobile numbers that were hidden in the data attribute of file by the criminals. Table 5. Data extracted from file slack space File type Size Containing Information VIII. Text Text file 380 bytes Mobile numbers of higher authorities: Planner XXXXXX1234 Plan distributer XXXXXX3245 Regional commander XXXXXX0987 Weapon distributer XXXXXX4329 Area commander XXXXXX2324 any help - XXXXXX0990 Information related to crime plans can be accessed from this website. and login ID-aaaa and paswword - crimes555 is used to get information CONCLUSION There are some spaces in the NTFS file system that can be used by the criminal to hide secret data. In this paper, a REFERENCES [1] Agarwal, A., Gupta, M., Gupta, S. and Gupta, S.C., Systematic Digital Forensic Investigation Model, International Journal of Computer Science and Security, Vol. 5, No. 1, pp [2] Bang, J., Yoo, B., Kim, J. and Lee S., Analysis of time information for digital investigation, Fifth international joint conference on In, IMS and IDC, pp [3] Carrier, B., File system forensic analysis Addison Wesley Professional, ISBN: [4] Carrier, B., Open source digital forensic tools, published in Stake research report, pp [5] (v=ws.10).aspx [6] Chakravarthy, A.S.N. and Kumar, T.V.Sarath, Survey on Computer Crime Scene Investigation Forensic Tools, International Journal of Computer Trends and Technology, Vol. 3, No. 2, pp [7] Chow, K.P., Kawan, M.Y. K., Law, F. Y. W. and Lai, K.Y., The rules of time on NTFS system, In Proceedings of Systematic Approaches to Digital Forensic Engineering, Department of computer Science, The University of Hong Kong. [8] Davis, J., MacLean, J. and Dampier, D., Methods of information hiding and detection in file systems, Fifth international workshop on systematic approaches to digital forensic engineering, pp [9] DMDE Free Edition- Disk Editor, Dmitry Sidorov, last accessed august, 2012, [10] DiskExplorer 4.25 for NTFS file system, Runtime software, Last accessed august, 2012, [11] Dixon, D.P., An overview of computer forensics, IEEE Potentials, pp [12] Huebner, E., Bem, D. and Wee, C.K., Data hiding in NTFS file system, Digital investigation, pp [13] Kai, Z., En, C. and Qinquan, G., Analysis and Implementation of NTFS file system based on computer forensics, Second international workshop on education technology and computer science, pp [14] Mamoun, A., Sitalakshmi, V. and Paul, W., Effective digital forensic analysis of the NTFS disk image, Special issue on ICIT conference-applied Computing, UbiCC journal, Vol. 4, No. 3, pp [15] Martini, I.A., Zaharis, A. and Ilioudis, C., Detecting and manipulating compressed alternate data streams in a forensics investigation, Third international annual workshop on digital forensics and incident analysis, pp [16] Tejpal Sharma, Dhavlesh Rattan, Computer Forensic Analysis of NTFS File System, International Journal of Computer Science and Communication Engineering, Volume 1 Issue 1 October 2012 technique is proposed for the computer forensic analysis of RES Publication 2012 Page 62
6 AUTHOR S BIOGRAPHIES Tejpal Sharma received the B.Tech. degree in Computer Science and Engineering and M.Tech. degree in E-Security from Baba Banda Singh Bahadur Engineering College, Fatehgarh Sahib (Punjab). Presently working as Assistant Professor (CSE Deptt.) in CGC-College of Engineering, Landran, Mohali (Punjab), India. Harleen Kaur Sahota received the B.Tech. degree in Computer Science and Engineering from RBIEBT, Punjab and M.Tech. degree in Computer Science and Engineering from CGC, Landran, Punjab. Had one year of experience as Assistant Professor in Department of Computer Science Engineering. RES Publication 2012 Page 63
Time Rules for NTFS File System for Digital Investigation
Time Rules for NTFS File System for Digital Investigation Tejpal Sharma 1, Manjot Kaur 2 ¹ Assitant Professsor,Deptt. of Computer science and Engg. CGC-College of Engg., Landran Mohali (Punjab), India
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems
Guide to Computer Forensics and Investigations Fourth Edition Chapter 6 Working with Windows and DOS Systems Understanding Disk Drives Disk drives are made up of one or more platters coated with magnetic
More informationComputer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase
Computer Forensics: Investigating Data and Image Files, 2nd Edition Chapter 3 Forensic Investigations Using EnCase Objectives After completing this chapter, you should be able to: Understand evidence files
More informationMulti-version Data recovery for Cluster Identifier Forensics Filesystem with Identifier Integrity
Multi-version Data recovery for Cluster Identifier Forensics Filesystem with Identifier Integrity Mohammed Alhussein, Duminda Wijesekera Department of Computer Science George Mason University Fairfax,
More informationChapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.
Chapter Two File Systems CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D. 1 Learning Objectives At the end of this section, you will be able to: Explain the purpose and structure of file systems
More informationMachine Language and System Programming
زبان ماشين وبرنامه نويسی سيستم Machine Language and System Programming جلسه دوازدھم دانشگاه صنعتی ھمدان پاييز 1389 Objectives Explain the purpose and structure of file systems Describe Microsoft file structures
More informationA Formal Logic for Digital Investigations: A Case Study Using BPB Modifications.
A Formal Logic for Digital Investigations: A Case Study Using BPB Modifications. Abstract I. Mitchell Middlesex University, UK A Formal Logic is developed and the following presented: i) Notation for Formal
More informationSTEGANOGRAPHIC TECHNIQUES FOR HIDING DATA IN SWF FILES
Chapter 19 STEGANOGRAPHIC TECHNIQUES FOR HIDING DATA IN SWF FILES Mark-Anthony Fouche and Martin Olivier Abstract Small Web Format (SWF) or Flash files are widely used on the Internet to provide Rich Internet
More informationmakes floppy bootable o next comes root directory file information ATTRIB command used to modify name
File Systems File system o Designed for storing and managing files on disk media o Build logical system on top of physical disk organization Tasks o Partition and format disks to store and retrieve information
More informationFile System Interpretation
File System Interpretation Part III. Advanced Techniques and Tools for Digital Forensics CSF: Forensics Cyber-Security Fall 2018 Nuno Santos Previously: Introduction to Android forensics! How does Android
More informationAdvanced Operating Systems
Advanced Operating Systems File Systems: File Allocation Table, Linux File System, NTFS Lecture 10 Case Studies of File Systems File Allocation Table (FAT) Unix File System Berkeley Fast File System Linux
More informationOHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE
OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE I. Description of Course: 1. Department/Course: CNET - 174 2. Title: Computer Forensics 3. Cross Reference: 4. Units: 3 Lec Hrs:
More informationCOMPARATIVE STUDY OF TWO MODERN FILE SYSTEMS: NTFS AND HFS+
COMPARATIVE STUDY OF TWO MODERN FILE SYSTEMS: NTFS AND HFS+ Viral H. Panchal 1, Brijal Panchal 2, Heta K. Desai 3 Asst. professor, Computer Engg., S.N.P.I.T&RC, Umrakh, Gujarat, India 1 Student, Science
More informationCOMP091 Operating Systems 1. File Systems
COMP091 Operating Systems 1 File Systems Media File systems organize the storage space on persistent media such as disk, tape, CD/DVD/BD, USB etc. Disk, USB drives, and virtual drives are referred to as
More informationFile System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT)
File System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT) 1 FILE SYSTEM CONCEPTS: FILE ALLOCATION TABLE (FAT) Alex Applegate
More informationCSE 4482 Computer Security Management: Assessment and Forensics. Computer Forensics: Working with Windows and DOS Systems
CSE 4482 Computer Security Management: Assessment and Forensics Computer Forensics: Working with Windows and DOS Systems Instructor: N. Vlajic,, Fall 2010 Required reading: Guide to Computer Forensics
More informationVorlesung Computerforensik. Kapitel 7: NTFS-Analyse
Harald Baier FAT-Analyse / SS 2016 1/64 Vorlesung Computerforensik Kapitel 7: NTFS-Analyse Harald Baier Hochschule Darmstadt, CRISP SS 2016 Harald Baier FAT-Analyse / SS 2016 2/64 General information about
More informationComputer Hacking Forensic Investigator. Module X Data Acquisition and Duplication
Computer Hacking Forensic Investigator Module X Data Acquisition and Duplication Scenario Allen a forensic investigator was hired by a bank to investigate employee fraud. The bank has four 30 GB machines
More informationWindows File System. File allocation table (FAT) NTFS - New Technology File System. used in Windows 95, and MS-DOS
Windows File System Windows File System File allocation table (FAT) used in Windows 95, and MS-DOS NTFS - New Technology File System 2 Key features of NTFS NTFS uses clusters(rather than sectors) as units
More informationTHOMAS RUSSELL, Information Technology Teacher
THOMAS RUSSELL, Information Technology Teacher Historical/Conceptual After installing the hard drive it needs to be partitioned. Partitioning is the process of electronically subdividing the physical hard
More informationANALYSIS AND VALIDATION
UNIT V ANALYSIS AND VALIDATION Validating Forensics Objectives Determine what data to analyze in a computer forensics investigation Explain tools used to validate data Explain common data-hiding techniques
More informationFile Systems and Volumes
File Systems and Volumes Section II. Basic Forensic Techniques and Tools CSF: Forensics Cyber-Security MSIDC, Spring 2015 Nuno Santos Summary! Data organization in storage systems! File deletion and recovery!
More informationVeritas System Recovery Disk Help
Veritas System Recovery Disk Help About recovering a computer If Windows fails to start or does not run normally, you can still recover your computer. You can use the Veritas System Recovery Disk and an
More informationDigital Forensics Lecture 02- Disk Forensics
Digital Forensics Lecture 02- Disk Forensics Hard Disk Data Acquisition Akbar S. Namin Texas Tech University Spring 2017 Analysis of data found on a storage device It is more common to do dead analysis
More informationJ. A. Drew Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation Professor, Computer Science & Engineering
J. A. Drew Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation Professor, Computer Science & Engineering CCI Post Office Box 9627 Mississippi State, MS 39762 Voice: (662) 325-2294 Fax: (662) 325-7692
More informationVeritas System Recovery Disk Help
Veritas System Recovery Disk Help About recovering a computer If Windows fails to start or does not run normally, you can still recover your computer. You can use the Veritas System Recovery Disk and an
More informationEaseUS Partition Master
EaseUS Partition Master User Guide Table of content Table of content... - 2 - Overview... - 1 - Welcome... - 1 - Edition comparison... - 1 - Getting started... - 2 - Hardware requirements... - 2 - Supported
More informationIntroduction to Volume Analysis, Part I: Foundations, The Sleuth Kit and Autopsy. Digital Forensics Course* Leonardo A. Martucci *based on the book:
Part I: Foundations, Introduction to Volume Analysis, The Sleuth Kit and Autopsy Course* Leonardo A. Martucci *based on the book: File System Forensic Analysis by Brian Carrier LAM 2007 1/12h Outline Part
More informationVendor: ECCouncil. Exam Code: EC Exam Name: Computer Hacking Forensic Investigator Exam. Version: Demo
Vendor: ECCouncil Exam Code: EC1-349 Exam Name: Computer Hacking Forensic Investigator Exam Version: Demo QUESTION 1 What is the First Step required in preparing a computer for forensics investigation?
More informationFile System NTFS. Section Seven. NTFS, EFS, Partitioning, and Navigating Folders
13 August 2002 File System Section Seven NTFS, EFS, Partitioning, and Navigating Folders NTFS DEFINITION New Technologies File System or NTFS was first applied in Windows NT 3.0 back in 1992. This technology
More informationAn Analysis of Local Security Authority Subsystem
An Analysis of Local Security Authority Subsystem Shailendra Nigam Computer Science & Engineering Department DIET, Kharar Mohali(Punjab) India. Sandeep Kaur Computer Science & Engineering Department BBSBEC,
More informationData Recovery Function Testing for Digital Forensic Tools
Data Recovery Function Testing for Digital Forensic Tools Yinghua Guo, Jill Slay To cite this version: Yinghua Guo, Jill Slay. Data Recovery Function Testing for Digital Forensic Tools. Kam-Pui Chow; Sujeet
More informationWindows Forensics Advanced
Windows Forensics Advanced Index: CF102 Description Windows Forensics - Advanced is the next step for forensics specialists, diving deeper into diverse processes on Windows OS serving computer investigators.
More informationSyllabus. Course Title: Cyber Forensics Course Number: CIT 435. Course Description: Prerequisite Courses: Course Overview
Syllabus Course Title: Cyber Course Number: CIT 435 Course Description: Introduces the principles and practices of digital forensics including digital investigations, data and file recovery methods, and
More informationTesting the Date Maintenance of the File Allocation Table File System
Abstract Testing the Date Maintenance of the File Allocation Table File Tom Waghorn Edith Cowan University e-mail: twaghorn@student.ecu.edu.au The directory entries used in the File Allocation Table filesystems
More informationA New Symmetric Key Algorithm for Modern Cryptography Rupesh Kumar 1 Sanjay Patel 2 Purushottam Patel 3 Rakesh Patel 4
IJSRD - International Journal for Scientific Research & Development Vol. 2, Issue 08, 2014 ISSN (online): 2321-0613 A New Symmetric Key Algorithm for Modern Cryptography Rupesh Kumar 1 Sanjay Patel 2 Purushottam
More informationFile System Basics. Farmer & Venema. Mississippi State University Digital Forensics 1
File System Basics Farmer & Venema 1 Alphabet Soup of File Systems More file systems than operating systems Microsoft has had several: FAT16, FAT32, HPFS, NTFS, NTFS2 UNIX certainly has its share, in typical
More informationFRAME BASED RECOVERY OF CORRUPTED VIDEO FILES
FRAME BASED RECOVERY OF CORRUPTED VIDEO FILES D.Suresh 1, D.V.Ramana 2, D.Arun Kumar 3 * 1 Assistant Professor, Department of ECE, GMRIT, RAJAM, AP, INDIA 2 Assistant Professor, Department of ECE, GMRIT,
More informationECCouncil Computer Hacking Forensic Investigator (V8)
ECCouncil 312-49v8 ECCouncil Computer Hacking Forensic Investigator (V8) Version: 9.0 QUESTION NO: 1 ECCouncil 312-49v8 Exam What is the First Step required in preparing a computer for forensics investigation?
More informationA Study on Linux. Forensics By: Gustavo Amarchand, Keanu. Munn, and Samantha Renicker 11/1/2018
A Study on Linux 11/1/2018 Forensics By: Gustavo Amarchand, Keanu Munn, and Samantha Renicker Abstract In the field of computer forensics investigators must be familiar with many different systems and
More informationVALLIAMMAI ENGINEERING COLLEGE SRM Nagar, Kattankulathur
VALLIAMMAI ENGINEERING COLLEGE SRM Nagar, Kattankulathur 603 203. DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING QUESTION BANK VII SEMESTER CS 6004 CYBER FORENSICS Regulation 2013 Academic Year 2017 2018
More informationDetecting the use of TrueCrypt
Detecting the use of TrueCrypt Clues that point a digital forensics investigator towards evidence of TrueCrypt data encryption software use by Andrew Davies, MSc (RHUL) and Allan Tomlinson, ISG, Royal
More informationOperating Systems. Lecture File system implementation. Master of Computer Science PUF - Hồ Chí Minh 2016/2017
Operating Systems Lecture 7.2 - File system implementation Adrien Krähenbühl Master of Computer Science PUF - Hồ Chí Minh 2016/2017 Design FAT or indexed allocation? UFS, FFS & Ext2 Journaling with Ext3
More informationIDENTIFYING VOLATILE DATA FROM MULTIPLE MEMORY DUMPS IN LIVE FORENSICS
Chapter 13 IDENTIFYING VOLATILE DATA FROM MULTIPLE MEMORY DUMPS IN LIVE FORENSICS Frank Law, Patrick Chan, Siu-Ming Yiu, Benjamin Tang, Pierre Lai, Kam-Pui Chow, Ricci Ieong, Michael Kwan, Wing-Kai Hon
More informationHard facts. Hard disk drives
Hard facts Text by PowerQuest, photos and drawings Vlado Damjanovski 2004 What is a hard disk? A hard disk or hard drive is the part of your computer responsible for long-term storage of information. Unlike
More informationDigital Forensics Lecture 01- Disk Forensics
Digital Forensics Lecture 01- Disk Forensics An Introduction to Akbar S. Namin Texas Tech University Spring 2017 Digital Investigations and Evidence Investigation of some type of digital device that has
More informationCOWLEY COLLEGE & Area Vocational Technical School
COWLEY COLLEGE & Area Vocational Technical School COURSE PROCEDURE FOR Student Level: This course is open to students on the college level in either the freshman or sophomore year. Catalog Description:
More informationAn Efficient Approach for Color Pattern Matching Using Image Mining
An Efficient Approach for Color Pattern Matching Using Image Mining * Manjot Kaur Navjot Kaur Master of Technology in Computer Science & Engineering, Sri Guru Granth Sahib World University, Fatehgarh Sahib,
More informationVARIABLE RATE STEGANOGRAPHY IN DIGITAL IMAGES USING TWO, THREE AND FOUR NEIGHBOR PIXELS
VARIABLE RATE STEGANOGRAPHY IN DIGITAL IMAGES USING TWO, THREE AND FOUR NEIGHBOR PIXELS Anita Pradhan Department of CSE, Sri Sivani College of Engineering, Srikakulam, Andhra Pradesh, India anita.pradhan15@gmail.com
More informationDigital Forensics Practicum CAINE 8.0. Review and User s Guide
Digital Forensics Practicum CAINE 8.0 Review and User s Guide Ana L. Hernandez Master of Science in Cybersecurity Digital Forensics Concentration University of South Florida 12-8-2017 Table of Contents
More information3 INSTALLING WINDOWS XP PROFESSIONAL
INSTALLING WINDOWS XP PROFESSIONAL.1 Preparing for installation Objectives.1.1 Windows XP Professional Hardware Requirements.1.2 Hardware Compatibility List (HCL) check.1. Hard Disk Partition.1.4 Required
More informationFile Systems Forensics
File Systems Forensics Section II. Basic Forensic Techniques and Tools CSF: Forensics Cyber-Security MSIDC, Spring 2017 Nuno Santos Summary! Analysis of file systems! Recovery of deleted files 2 Recall
More informationNTFS Recoverability. CS 537 Lecture 17 NTFS internals. NTFS On-Disk Structure
NTFS Recoverability CS 537 Lecture 17 NTFS internals Michael Swift PC disk I/O in the old days: Speed was most important NTFS changes this view Reliability counts most: I/O operations that alter NTFS structure
More informationBackup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.
Glossary A Active Directory a directory service that inventories, secures and manages the users, computers, rules and other components of a Microsoft Windows network. This service is typically deployed
More informationSurvey paper - Audio-Video Steganography Using Anti Forensics Technique
Survey paper - Audio-Video Steganography Using Anti Forensics Technique Ms. V.Sarangpure 1 ; Mrs. R. B. Talmale 2 ;Ms. M. Domke 3 1 Final Year M. Tech (CSE), Tulsiramji Gaikwad Patil College of Engineering
More informationThe Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration. Anthony Dowling
The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration Anthony Dowling Date: June 02, 2006 ii Abstract The Sleuth Kit is a collection of Linux tools that perform different aspects of a file system
More informationABSTRACT. Forensic analysis is the process of searching for evidence and preserving it for further
ABSTRACT Forensic analysis is the process of searching for evidence and preserving it for further examination. Examination of the evidence provides important information about suspect s behavior which
More informationIntroduction. Collecting, Searching and Sorting evidence. File Storage
Collecting, Searching and Sorting evidence Introduction Recovering data is the first step in analyzing an investigation s data Recent studies: big volume of data Each suspect in a criminal case: 5 hard
More informationImage Processing and Watermark
IJCST Vo l. 7, Is s u e 1, Ja n - Ma r c h 2016 ISSN : 0976-8491 (Online) ISSN : 2229-4333 (Print) Image Processing and Watermark 1 Dr. Amit Verma, 2 Navdeep Kaur Gill 1,2 Dept. Computer Science and Engineering,
More informationExam : Title. : A+ OS Technologies
Exam : 220-302 Title : A+ OS Technologies QUESTION 1 Under Windows 2000 you consistently receive out of memory messages when running multiple applications. To avoid having to upgrade RAM immediately you?
More informationPractice Test. Guidance Software GD Guidance Software GD0-110 Certification Exam for EnCE Outside North America. Version 1.6
Guidance Software GD0-110 Guidance Software GD0-110 Certification Exam for EnCE Outside North America Practice Test Version 1.6 QUESTION NO: 1 A FAT directory has as a logical size of: A. One cluster B.
More informationTime attributes. User behaviors. Crime Scene
Mengmeng Sept 23 2012 Time attributes User behaviors Crime Scene The rules of changes in time, can be used to analyze certain user behaviors like data access, modification or transfer. The rules differ
More informationChapter 1: Windows Platform and Architecture. You will learn:
Chapter 1: Windows Platform and Architecture Windows 2000 product family. New features/facilities of. Windows architecture. Changes to the kernel and kernel architecture. New features/facilities. Kernel
More informationInstructions For Formatting Hard Drive Windows 7 Command Prompt
Instructions For Formatting Hard Drive Windows 7 Command Prompt How to format a hard drive in Windows Vista, 7 or 8: plus how to format hard drive drive, run the Universal USB Installer setup program,
More informationAcronis Disk Director 11 Home. Quick Start Guide
Acronis Disk Director 11 Home Quick Start Guide Copyright Acronis, Inc., 2000-2010. All rights reserved. "Acronis", "Acronis Compute with Confidence", "Acronis Recovery Manager", "Acronis Secure Zone",
More informationInternational Journal of Advance Research in Engineering, Science & Technology
Impact Factor (SJIF): 5.301 International Journal of Advance Research in Engineering, Science & Technology e-issn: 2393-9877, p-issn: 2394-2444 Volume 5, Issue 6, June-2018 SECURE DATA HIDING IN AUDIO
More informationCS3600 SYSTEMS AND NETWORKS
CS3600 SYSTEMS AND NETWORKS NORTHEASTERN UNIVERSITY Lecture 11: File System Implementation Prof. Alan Mislove (amislove@ccs.neu.edu) File-System Structure File structure Logical storage unit Collection
More informationIT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems
IT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems 5.0 Introduction 1. What controls almost all functions on a computer? The operating system 5.1 Explain the purpose of an operating system 2.
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 8: File Systems Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives Investigative Process Analysis Framework File Systems FAT NTFS EXT2/EXT3 last
More informationH A N D O U T : I D E N T I F Y I N G A N D M I T I G A T I N G H A R D D R I V E I S S U E S
Revision Date: 5/31/2013 Time 1.0 Hour KEY POINT S A hard drive making a clicking sound is caused by the unloading and loading its heads. However, clicking, grinding or squealing means the hard drive may
More informationIntroduction to Computer Forensics
Introduction to Computer Forensics Subrahmani Babu Scientist- C, Computer Forensic Laboratory Indian Computer Emergency Response Team (CERT-In) Department of Information Technology, Govt of India. babu_sivakami@cert-in.org.in
More informationCrash Proof - Data Loss Prevention
Crash Proof - Data Loss Prevention Software Crash Proof - Data Loss Prevention Crash Proof is data loss prevention software which once installed revives 100% data in the event of a data loss situation.
More informationImplementing Hard Drives
Implementing Hard Drives Chapter 12 Overview In this chapter, you will learn how to Explain the partitions available in Windows Discuss hard drive formatting options Partition and format hard drives Maintain
More informationACCESSDATA SUPPLEMENTAL APPENDIX
ACCESSDATA SUPPLEMENTAL APPENDIX Introduction to DOS and FAT OPERATING SYSTEMS The term operating system refers to the software that is required to manage a computer system and run applications on the
More informationIntroduction to OS. File Management. MOS Ch. 4. Mahmoud El-Gayyar. Mahmoud El-Gayyar / Introduction to OS 1
Introduction to OS File Management MOS Ch. 4 Mahmoud El-Gayyar elgayyar@ci.suez.edu.eg Mahmoud El-Gayyar / Introduction to OS 1 File Management Objectives Provide I/O support for a variety of storage device
More informationCharacter Recognition of High Security Number Plates Using Morphological Operator
Character Recognition of High Security Number Plates Using Morphological Operator Kamaljit Kaur * Department of Computer Engineering, Baba Banda Singh Bahadur Polytechnic College Fatehgarh Sahib,Punjab,India
More informationCourse 832 EC-Council Computer Hacking Forensic Investigator (CHFI)
Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI) Duration: 5 days You Will Learn How To Understand how perimeter defenses work Scan and attack you own networks, without actually harming
More informationTable 12.2 Information Elements of a File Directory
Table 12.2 Information Elements of a File Directory Basic Information File Name File Type File Organization Name as chosen by creator (user or program). Must be unique within a specific directory. For
More informationDIS10.3:CYBER FORENSICS AND INVESTIGATION
DIS10.3:CYBER FORENSICS AND INVESTIGATION ABOUT DIS Why choose Us. Data and internet security council is the worlds top most information security certification body. Our uniquely designed course for information
More informationCHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.
CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed. File-System Structure File structure Logical storage unit Collection of related information File
More informationIntroduction to carving File fragmentation Object validation Carving methods Conclusion
Simson L. Garfinkel Presented by Jevin Sweval Introduction to carving File fragmentation Object validation Carving methods Conclusion 1 Carving is the recovery of files from a raw dump of a storage device
More informationMagic Card User Manual
Table of Contents Magic Card User Manual Magic Card Introduction 2 What is Magic card? 2 Magic Card Features 2 Working Modes 3 Magic card editions 3 Installation 4 System Requirements 4 Pre-installation
More informationManual Format Flash Drive Mac Os X Lion Startup
Manual Format Flash Drive Mac Os X Lion Startup Learn more about Boot Camp and its features for OS X Lion and Mountain Lion. on Mac computers that do not have an optical drive, with a USB flash drive that
More informationAccessData Advanced Forensics
This advanced five-day course provides the knowledge and skills necessary to install, configure and effectively use Forensic Toolkit (FTK ), FTK Imager Password Recovery Toolkit (PRTK ) and Registry Viewer.
More informationText Hiding In Multimedia By Huffman Encoding Algorithm Using Steganography
Text Hiding In Multimedia By Huffman Encoding Algorithm Using Steganography Madhavi V.Kale 1, Prof. Swati A.Patil 2 PG Student, Dept. Of CSE., G.H.Raisoni Institute Of Engineering And Management,Jalgaon
More informationForensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud
Forensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud Ezz El-Din Hemdan 1, Manjaiah D.H 2 Research Scholar, Department of Computer Science, Mangalore University,
More informationKusum Lata, Sugandha Sharma
International Journal of Scientific Research in Computer Science, Engineering and Information Technology 2017 IJSRCSEIT Volume 2 Issue 4 ISSN : 2456-3307 A Survey on Cloud Computing and Mobile Cloud Computing
More informationEd Ferrara, MSIA, CISSP
MIS 5208 - Lecture 12 Investigation Methods Data Acquisition Ed Ferrara, MSIA, CISSP eferrara@temple.edu Objectives List digital evidence storage formats Explain ways to determine the best acquisition
More informationFORENSICS CYBER-SECURITY
FORENSICS CYBER-SECURITY MEIC, METI 2016/2017 1 st Semester 1 st Exam January 10, 2017 Duration: 2h00 - Use a pen only; no extra material is allowed, such as calculator, scratch paper, etc. - Write your
More informationPage Mapping Scheme to Support Secure File Deletion for NANDbased Block Devices
Page Mapping Scheme to Support Secure File Deletion for NANDbased Block Devices Ilhoon Shin Seoul National University of Science & Technology ilhoon.shin@snut.ac.kr Abstract As the amount of digitized
More informationA Image Steganography based on Non-uniform Rectangular Partition
A Image Steganography based on Non-uniform Rectangular Partition Venkata Ramesh Pokala 1, Y. Dasradh Ram Reddy 2, G. Srinivasa Reddy 3 Asst.Prof of CSE department BVSR, Chimakurthy, A.P, India Abstract:
More informationGJU IT-forensics course. Storage medium analysis
Harald Baier Storage medium analysis / 2014-04-02 1/32 GJU IT-forensics course Storage medium analysis Harald Baier Hochschule Darmstadt, CASED 2014-04-02 Partitions Harald Baier Storage medium analysis
More informationChapter 5 EVALUATION OF REGISTRY DATA REMOVAL BY SHREDDER PROGRAMS. 1. Introduction. Harry Velupillai and Pontjho Mokhonoana
Chapter 5 EVALUATION OF REGISTRY DATA REMOVAL BY SHREDDER PROGRAMS Harry Velupillai and Pontjho Mokhonoana Abstract Shredder programs attempt to overcome Window s inherent inability to erase data completely.
More informationA Physical and Communication Parameter Based Vertical Handover in Hybrid Vehicular Network
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 6, June 2014, pg.477
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations
Guide to Computer Forensics and Investigations Fourth Edition Chapter 2 Understanding Computer Investigations Objectives Explain how to prepare a computer investigation Apply a systematic approach to an
More informationINSTITUTO SUPERIOR TÉCNICO
INSTITUTO SUPERIOR TÉCNICO DEPARTAMENTO DE ENGENHARIA INFORMÁTICA FORENSICS CYBER-SECURITY MEIC, METI Lab Guide II Evidence Examination 2015/2016 nuno.m.santos@tecnico.ulisboa.pt 1 Introduction This guide
More informationWhat does a file system do?
System files What does a file system do? A file system is a method for storing and organizing computer files and the data they contain to make it easy to find and access them. File systems exist on hard
More informationA Forensic Log File Extraction Tool for ICQ Instant Messaging Clients
Edith Cowan University Research Online ECU Publications Pre. 2011 2006 A Forensic Log File Extraction Tool for ICQ Instant Messaging Clients Kim Morfitt Edith Cowan University Craig Valli Edith Cowan University
More informationExample Implementations of File Systems
Example Implementations of File Systems Last modified: 22.05.2017 1 Linux file systems ext2, ext3, ext4, proc, swap LVM Contents ZFS/OpenZFS NTFS - the main MS Windows file system 2 Linux File Systems
More informationGuideline Model for Digital Forensic Investigation
Annual ADFSL Conference on Digital Forensics, Security and Law 2007 Guideline Model for Digital Forensic Investigation Salma Abdalla Information Technology Industry Development Agency (ITIDA), salma@mcit.gov.eg
More information