Results 1 to 2 of 2

Thread: Forensics Basic terms Share/Save - My123World.Com!

  1. #1

    Arrow Forensics Basic terms


    This article is absolutely for beginners , just to give a basic idea of what exactly the term means .please correct me if i am wrong . this collection i prepared for one basic presentation thought sharing would be good.

    What is Acquisition?
    Acquisition is a process of copying bit by bit of data from a disk to an image / another disk.

    Laymen Term:
    Acquisition is a process of copying digital data from a source to an image or another sterilized Hard disk which can be utilized for analysis

    Why Acquisition is needed?

    To avoid Data Loss
    To retrieve evidences
    To analyze the Acquired image, it may lead to the evidence where we can find the root cause for the crime

    To Copy the contents of a Hard disk to another disk. Hard disk drives are ten cloned for batch installation on other computers, particularly those on a network, or for use as backups.

    To copy or replicate the entire contents of a hard disk drive to an image for use as of backups, analysis and more.

    File Slack
    The space between the end of a file and the end of the disk cluster it is stored in. Also called "file slack," it occurs naturally because data rarely fill fixed storage locations exactly, and residual data occur when a smaller file is written into the same cluster as a previous larger file. In computer forensics, slack space is examined because it may contain meaningful data.

    A process of extracting data out of undifferentiated blocks,
    Ex: Searching an input for files or other kinds of objects based on content

    A file that was once associated with a program that still remains on the computer even after the program has been uninstalled. This often occurs when a program is deleted and not uninstalled or when the uninstall portion of the program does not properly uninstall all associated files.

    Space allocated to store files, each cluster consists of 1 to 64 sectors, Depending on the size and type of the disk. A cluster is the smallest unit of disk space that can be allocated for use by files.

    Ambient Data:
    It generally describes the data which is stored in File Slack, windows Swap file and unallocated space.

    Unallocated space:
    This is one of the most important place for a forensics investigator where they can get the data of deleted files, and orphan files.

    Unallocated space is simply defined as the area or space on the hard drive of the computer that is available to write data to.

    Unallocated space can contain deleted files or partially deleted files. When a file is deleted, the pointers to the file are removed, but the data remains in unallocated space until such time as the operating system stores another file in the same space.

    It is a technique of hiding a secret message with in as ordinary message and extracting it at the destination.

    My friend explained it more clearly in the earlier posts

    Types of images:

    Some of the file types which we can use for analysis / recovery is
    RAW, DD, SMART, E01, img, gho
    Mostly we use dd to make images and its the commonly used application in Acquisition packages like TSK Guymager etc...
    RAW or DD images just contain the data from the original source, and nothing else. Any hash data etc. is usually stored in a separate log file that is generally stored with the image file.

    SMART can store disk images as pure bit streams (compressed or uncompressed).
    Encase image(E01) format includes a separate hash for each segment, and the hash file and certain information about the image - including information entered by the examiner is stored inside the image files themselves. Hence an E01 is more than just the image, it also contains meta data relating to the image file.

    to be continued ....


  2. #2
    Its good and at the same time it also requires to know why we should know this.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts