Week 4 - Searching for Evidence Flashcards
What stages come before the Search stage of the investigation?
Indentificaiton
Acquisition
Preservation
What piece of data is being more commonly investigated?
Web history and wed search history. It is not eact proof of criminal activity itself, but it can provide insight into the character of the accused and can lend credibility to a case.
What is the search stage of investigation?
This is the search of evidencial data on the digital devices that can help uncover the truth about the crime.
What is something that must be considered when searching for evidence?
Different spellings of files or searches, including common mispellings. If these are not consider, then any search that was spelled incorrectly will go unnoticed.
What parts of the disk image are searched during investigation?
Partitions
Unallocated space
Host protected area
What can the HPA contain?
Misc files and data not found on the original partitions.
What are the two types of search?
Physical
Logical
What are the two subtypes of logical search?
Brute force
Directed
What happens in the physical search?
When the image is treated as a lump of data, rather than different file systems. It looks for bit patterns in the data as a whole.
What happens in the logical search?
When the files in the image are examinated individually. A file system is required in the image as part of the search.
What kind of data can physical search help you find?
It can help reveal deliberate attempts at concealment. Since physical search avoids the file system, it can find things that are hidden from the file system as it looks at data in the HPA, file slack, unallocated space and bad blocks which might not be visible otherwise.
What is file carving?
It is used in physical search. It tries to find patterns or associations with one part of the data and another.
What are the limitations of physical search?
It cannot cope with zip files, compressed files, or encrypted files.
It can take a long time, as it analyses all available data.
What must you do to prepare for a logical search?
The image must be mounted so that the file system becomes accessable. This means it must be attached to the investigative machine and treated as a disk.
What is string search?
A type of method used in physical search that looks for the prescense of strings and words in the bit data as a whole.
