Chapter 17 COMPUTER FORENSICS

17- 7
Terminology
• Output Devices: Equipment through which data is obtained from the computer. – To name a few: • Monitor • Printer • Speakers • The Hard Disk Drive (HDD) is typically the primary location of data storage within the computer.
CRIMINALISTICS An Introduction to Forensic Science, 9/E By Richard Saferstein
PRENTICE HALL ©2007 Pearson Education, Inc. Upper Saddle River, NJ 07458
17- 2
CRIMINALISTICS An Introduction to Forensic Science, 9/E By Richard Saferstein
PRENTICE HALL ©2007 Pearson Education, Inc. Upper Saddle River, NJ 07458
17-10
CRIMINALISTICS An Introduction to Forensic Science, 9/E By Richard Saferstein PRENTICE HALL ©2007 Pearson Education, Inc. Upper Saddle River, NJ 07458
How Data is Stored
• Sectors are typically 512 bytes in size.
– Remember a byte is 8 bits . – A bit is a single 1 or 0.
• Clusters are groups of sectors and their size is defined by the operating system.
17- 4
Terminology
• Computer Case/Chassis: This is the physical box holding the fixed internal computer components in place. • Power Supply: PC’s power supply converts the power it gets from the wall outlet to a useable format for the computer and its components. • Motherboard: The main circuit board contained within a computer (or other electronic devices) is referred to as the motherboard. • System Bus: Contained on the motherboard, the system bus is a vast complex network of wires that serves to carry data from one hardware device to another.
The Basics
• Before getting into the nuts and bolts of computers, the important distinction between hardware and software must be established. • Hardware comprises the physical and tangible components of the computer. • Software conversely, is a set of instructions compiled into a program that performs a particular task. Software are those programs and applications that carry out a set of instructions on the hardware.
CRIMINALISTICS An Introduction to Forensic Science, 9/E By Richard Saferstein PRENTICE HALL ©2007 Pearson Education, Inc. Upper Saddle River, NJ 07458
How Data is Stored
• Generally speaking a HDD needs to have its space defined before it is ready for use. • Partitioning the HDD is the first step. • When partitioned, HDDs are mapped (formatted) and have a defined layout. • They are logically divided into sectors, clusters, tracks, and cylinders.
17- 6
Terminology
• Central Processing Unit (CPU): The CPU, also referred to as a processor, is essentially the brains of the computer. • Input Devices: These devices are used to get data into the computer
Chapter 17 COMPUTER FORENSICS
CRIMINALISTICS An Introduction to Forensic Science, 9/E By Richard Saferstein
PRENTICE HALL ©2007 Pearson Education, Inc. Upper Saddle River, NJ 07458
– To name a few:
• Keyboard • Mouse • Joy stiБайду номын сангаасk • Scanner
CRIMINALISTICS An Introduction to Forensic Science, 9/E By Richard Saferstein PRENTICE HALL ©2007 Pearson Education, Inc. Upper Saddle River, NJ 07458
CRIMINALISTICS An Introduction to Forensic Science, 9/E By Richard Saferstein
PRENTICE HALL ©2007 Pearson Education, Inc. Upper Saddle River, NJ 07458
17- 9
CRIMINALISTICS An Introduction to Forensic Science, 9/E By Richard Saferstein
PRENTICE HALL ©2007 Pearson Education, Inc. Upper Saddle River, NJ 07458
17- 8
CRIMINALISTICS An Introduction to Forensic Science, 9/E By Richard Saferstein
PRENTICE HALL ©2007 Pearson Education, Inc. Upper Saddle River, NJ 07458
17- 3
17- 5
Terminology
• Read Only Memory (ROM): ROM chips store programs called firmware, used to start the boot process and configure a computer’s components. • Random Access Memory (RAM): RAM serves to take the burden off of the computer’s processor and Hard Disk Drive (HDD). – The computer, aware that it may need certain data at a moments notice, stores the data in RAM. – RAM is referred to as volatile memory because it is not permanent; its contents undergo constant change and are forever lost once power is taken away from the computer.
– Clusters are always in sector multiples of two. – A cluster, therefore, will consist of 2, 4, 6, 8, or etc. sectors. (With modern day operating systems, the user can exercise some control over the amount of sectors per cluster.)
17- 1
Introduction
• Computers have permeated society and are used in countless ways with innumerable applications. • Similarly, the role of electronic data in investigative work has realized exponential growth in the last decade. • The usage of computers and other electronic data storage devices leaves the footprints and data trails of their users.
Introduction
• Computer forensics involves the preservation, acquisition, extraction, and interpretation of computer data. • In today’s world of technology, many devices are capable of storing data and could thus be grouped into the field of computer forensics.
Terminology
• Different operating systems map out (partition) HDDs in different manners • Examiners must be familiar with the file system they are examining. • Evidence exists in many different locations and in numerous forms on a HDD. • The type of evidence can be grouped under two major sub-headings: visible and latent data.
CRIMINALISTICS An Introduction to Forensic Science, 9/E By Richard Saferstein PRENTICE HALL ©2007 Pearson Education, Inc. Upper Saddle River, NJ 07458