We’ll get started at 19:05

the forensic process

comp6445 week02

Lecture content

The forensic process

  • Digital evidence must be collected via a standard, documented, and proven forensic process

Forensically sound

Which two aspects are required for evidence to be admissible?

Forensically sound

  • Two aspects for evidence to be admissible?
    • defensible: accepted as industry standard and/or proven to be sound
    • repeatable: well-documented, 3rd party could replicate it with the same results.

Drive structure

  • file system: data structure for organisation of files
  • volume: container for a file system
  • sector: smallest storage unit of a drive (512B)
  • clusters: groups of sectors
  • unpartitioned space: .

harddrive: meme

Hidden items

Where could you look for hidden information on a drive?

Hidden items

  • Where to look for hidden information on a drive?
    • Hidden partitions (e.g. modified PT)
    • Unallocated space
    • Slack (drive and volume)

Additional areas

  • Host Protected Area
  • Device Configuration Overlay

Read more here

SDD vs HDD

Would it be harder to carve files on a HDD or SDD, why?

Reports

  • I would suggest that you start now
  • Keep a note of your process
  • I’ll release a template report next week

Random extra stuff

I found this wierd file on my computer, you can download it here

Walkthrough

Was there any challenges last week you couldn’t solve?

Challenges