1.Go online and research some tools that would be valuable in collecting both live memory images and images of various forms of media. Put together a shopping list for your manager that includes tools needed to be purchased. Include a price if applicable. (300 words)
Chapter 7 ppt
2. Use the web or other resources to research at least two criminal or civil cases in which recovered files played a significant role in how the case was resolved. (300 words)
Chapter 8 ppt
Chapter 8
Finding Lost Files
1
Old Files Never Die
Deleting a file doesn’t erase data
Even a wiped file may leave behind artifacts
Remnants of old files may remain in slack space or unallocated space
Temporary files may still exist or be recoverable
Some files aren’t deleted, but rather intentionally hidden
OS File Recovery
Deleting a file sends it to the “Trash” or “Recycle Bin”
File is simply renamed and moved to a hidden folder
Deleting the file from Recycle marks the space used by the file as available (but does not erase data)
Using a WIPE utility overwrites the data on the medium with random characters
What is Slack Space?
Hard disks are divided into clusters of 4 to 32KB
If a file does not fill a cluster, the remainder of the cluster is not overwritten, nor is it available
Slack space also exists between partitions on a physical disk
Utilities such as Slacker can harness all this space into a usable file system
What is Unallocated Space?
When a disk is formatted, each cluster is identified and mapped
When a file is created or copied to the system, the file system marks the clusters it occupies as “allocated”
When a file is removed from Recycle, the clusters aren’t erased, but merely marked as “unallocated”
Unallocated space can hold a lot of data
Recovering Deleted Files
Specialized utilities read the file system metadata and identify clusters where files once lived
If the space has not been overwritten, the files can be recovered intact
Mark space as allocated
Give the file a new name
Disk editing utilities allow the residual data from partially overwritten files to be copied to a new file
Data Carving
Files in unallocated space can be retrieved by “data carving”
All bits stored on the medium beginning with a file header and going through to an end of file marker are copied to a new file
Few utilities can salvage files stored on noncontiguous clusters
Data Carving Tools
Carver
Foremost
Scalpel
Chapter 7
Data Acquisition
1
Never Work on the Original
Make forensically sound copies
Keep a master copy and make several working copies
Calculate a hash value of each copy and make sure they match
Each copy must have a unique identifier
Order of Volatility
RAM
Temporary files
Local disks
External storage media
Network attached storage (NAS or SAN)
Archival backups
Memory and Running Processes
Memory can hold passwords
Can be difficult to extract, but in a pinch may be all you have
Running processes can identify malware running on the system
Routing tables can be extracted from memory
Network connections reside in RAM
Capturing Memory
Memory is a device
Memory can be dumped into a file
The amount of memory capture may be different from the amount of installed RAM
Some utilities capture device cache memory
Some utilities don’t capture installed RAM devoted as a device cache
Memory Capture Utilities
Most commercial forensic suites offer memory capture capability
DD utility (both Windows and Linux)
Dumpit
Memoryze
Memory Capture Tips
Keep your memory footprint to a minimum
Run from a flash drive if possible
Copy memory image to an external device
Make sure device capturing image can handle large files
Computers today have large amounts of RAM
Many USB drives continue to be formatted to FAT32 (4GB maximum file size)
Memory Capture Procedures
Start the documentation process
Run a batch file that collects user information, network connections, time/date, and open files
Collect a memory dump
Copy the paging file
Copy any hibernation files
Media Capture
Document everything
Use a forensic write-blocker when copying any data
Do NOT use standard copy utilities to make copies
Store all images on forensically sound media
Disk Image File Formats
DD Images (bit-for-bit)
Expert Witness Format (EWF)
Advanced Forensic Format (AFF)
Safeback (by NTI)
ILook Imager
ProDiscover File Format
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Achiever Papers is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Dissertation Writing Service Works
First, you will need to complete an order form. It's not difficult but, if anything is unclear, you may always chat with us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order formOnce we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignmentAs soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download