Computer and Digital Forensics Flashcards
(41 cards)
What does computer forensics mostly involve?
preservation, acquisition, extraction, analysis and interpretation of digital data
What is hardware?
physical components of the computer
What is software?
set of instructions in a program that performs a particular task, contained in hardware
What is ROM?
read only memory, chips on the motherboard that have firmware to start the boot process
what is the system unit?
chassis, motherboard and other internal components
What is RAM?
Random access memory, not permanent and is therefore volatile, chips on motherboard, stores data that is needed currently (ex the word doc ur working on)
What is the ‘brain’ of the computer
CPU, all operations are run through it, chip in the motherboard
What is the HDD?
primary component of permanent storage. RAID is becoming more common and NAS are used to backup
How is the HDD divided?
- Sector - 512bytes
- Cluster - multiple of 2 sectors
- Track - concentric circles around a plater
- Cylinder - groups of tracks above and below each other
what is a bit?
smallest unit of computer language, a one or zero in bianry
what is a forensic image?
an exact duplicate of the entire contents of a HDD
What is visible data?
- data OS is aware of and visible to user
- work product files, swap file data, temporary files
What are swap file data and temporary files?
- Swap: space on HDD swapped around to conserve RAM, sometimes data is left behind
- Temporary: backup copy of presently worked on data in case of a crash
What is latent data?
- data not typically apparent to OS or user, only visible in a forensic image
- slack space, unallocated space, defragmentation, swap space, deleted files
What is slack space and unallocated space?
- Slack: empty space due to the way the HDD stores files (RAM and File types)
- Unallocated: unused HDD area, OS may see as empty but may have old data
What is defragmenting, swap space, and deleted files?
- defrag. : moving noncontiguous data into contiguous clusters
- Swap: orphaned data on RAM due to swap
- delete: some os replace the file by changing the name and then review the space as available
What is the internet cache?
portions of web pages stored on the HDD to make reconstruction easier when you revisit
What are cookies?
placed on HDD by websites to track usage and store info like passwords
What is an IP address?
Internet protocol address. Assigned to devices by networks to track location. can be masked using a vpn (virtual private network), vpns can also protect you online
How are emails and DMs/chats stored?
- emails are stored in compound files
- dms/chats are stored in the RAM and require live data acquisition
What is hacking?
unauthorized computer intrusion. computers have firewalls that are meant to protect from intrusions, require a password and keep log data. Investigators focus on log data, IP, and RAM data
What are the different g’s (phones)?
- 1G: analog - modulated radio signals
- 2G: digital network - first ‘feature’ phones, 2 standards (global system for mobile communication, code divison with multiple access), circuit switched
- 3G: broadband - high speed data communication
- 4G: native IP networks - access internet directly
What are some challenges based on the g’s?
- older phones have no OS (only get a phone directory), 2G has an OS but very different from a computer
- 3 and 4G similar architecturally to a PC, use location and GPS
- many types of phones means many types of hardware and storage
How to extract data from a cell phone?
- first keep in a faraday bag
- Logistical: snapshot of file system
- Physical: more common, duplicate of data
- select multiple tools
