2. Investigation Theory
Digital Evidence
Order of Volatility
Disks
File Systems
File Data
Deleted Data
Associated Evidence
Summary
3. Three major types of evidence can be found
Inculpatory Evidence: That which supports a theory
Exculpatory Evidence: That which contradicts a
theory
Traces of tampering: That which does not support
any theory, but shows that data was wiped or
modified
We want to find all three types of evidence to get
the whole picture
4. The data on a system can be broken into two
categories: static and volatile.
Volatile data will cease to exist after the system is
powered off. Examples of this include memory
contents, a list of running processes, a list of open
network ports, and a list of users that are currently
logged on.
Static data will continue to exist after the system is
powered off. Examples of this include hard disk
contents, BIOS settings, and other hard coded
values (such as MAC addresses).
5. Register State
Memory
Network
Process INCREASING
VOLATILITY
Disk
Floppy Disks (FDs)
CDROM
6. A byte is 8 bits (11111110 = 254)
A disk can be thought of as a
long stream of bytes
The bytes are organized into
512-byte chunks called sectors
The disk is divided into partitions (or slices)
For Intel/DOS-based systems, the partition table describes the
partition layout (in the Master Boot Record)
7. File Systems manage data storage
Organized into files
Files can be spread around all over a disk in data units
File system maintains data about a file such as;
Name
Where the data units are
When it was last accessed
Provide an addressing scheme that is easy for humans to
understand
Examples: FAT, EXT2FS, FFS, NTFS, EXT3FS
8. Data about files is useful as it can tell us;
Which system account accessed a file last
When that happened
When the file was last written to
When a file was created.
By looking at files when we investigate a
system we may destroy this sort of evidence
9. File deletion theory is the same across file system
types
There are five major actions:
Mark the data describing the file as unallocated
Mark the data unit itself unallocated
Remove the file name so the ‘dir’ or ‘ls’ command does not
show it
Delete the link between the file name and the data about
the file
Delete the links between the data about a file and data
units
The first three are required, the last two are not
10. Deleted data is not removed but the bit of the disk
that holds it may be reused for different data
Just a matter of time and how much data a system
need to write to disk
We need to get that deleted data before it is
overwritten
Therefore we need to do as little as possible on a
system that may overwrite the data while we are
investigating.
11. Digital Evidence at best can only tell you which
computer account did what when.
When only one person has access to the account
details then it is easy to identify a culprit.
However, sometime we need to look into the real
world for other associated evidence such as:
CCTV
Building Entry Logs
Statements from Witnesses
12. We don’t want to prove someone guilty. We want
the truth so don’t ignore sources exculpatory
evidence.
Be aware of what effect our investigation actions
are going to have on the evidence.
Use Forensically sound tools to avoid damaging
evidence.
Take copies of data early to avoid overwriting
valuable deleted data.
Look for non-digital sources of evidence that can
support the investigation.