Jump to content

Recommended Posts

Posted

Just curious as to what is possible with todays technology. What equipment/tools is available (Professional and Amature) to analyze computers for evidence.

 

This is just a general thread i want to start because Forensic Science is cool!

Posted

What do you want to do? It's not clear. Do you want to search a suspect computer for possible evidence? Do you have it in front of you, or are you doing this remotely?

 

In any case special software is used, the public can normally get similar things, although the best quality is stuff is either expensive or not available to the public.

Posted

It is possible to pull data off a hard drive even after these "delete stuff for real" tools have been used sometimes due to the way modern disks work by copying data from areas with bad sectors to clean areas it leaves behind and ignores the old data... Is that the kind of thing you mean?

Posted
"delete stuff for real"

The rest of your post depends on what you mean by the quote! Whilst after even a format some data can be recovered, there are programs which wipe the computer, write to all the sectors, erase that etc etc.

 

Eraser, see:

http://www.heidi.ie/eraser/

Is based on a technology written about in this paper (Secure Deletion of Data from Magnetic and Solid-State Memory) here:

http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/

and is meant to be totaly non-recoverable to any yet-invented system.

Posted

My initial post was basically just me trying to start a discussion because all types of forensics is interesting to me. So please feel free to discuss anything you may have learned in the past about PC's that I may not know or anyone here may not know.

 

Here is a question...

 

If a disk becomes fragmented AND unreadable by a standard PC how do they piece together the large amouts of bytes. Where on the hard drive is the information stored that one part of a file belongs to another part of a file?

Posted
If a disk becomes fragmented AND unreadable by a standard PC how do they piece together the large amouts of bytes.
There are two methods, one getting a computer program to piece together bits of codes until, well, I'm not sure, until it works or is recogniseable in some form. Or you can get a proffesional charging large sums of money who will go through the coding and can try and patch it together again... or at least that is how it seems to work from random things I've read.

 

Where on the hard drive is the information stored that one part of a file belongs to another part of a file?

What do you mean? Files are physically 'written' onto a disk, each bit of each program is stored in a specified location on the magnetic part of the disk (assume we are talking about a HDD [hard drive disk] here).

Posted
It is possible to pull data off a hard drive even after these "delete stuff for real" tools have been used sometimes due to the way modern disks work by copying data from areas with bad sectors to clean areas it leaves behind and ignores the old data... Is that the kind of thing you mean?
also, the disk 'wobbles' as it is reading/righting. ok, imagine that this is the lense

 

x

x

x <-- chunky lense

x

x

x

 

 

 

right, as the lense goes along, it rights traxs of data, much like youd get on an LP, but of course in binary (ie, the disk is round and the data is written in spirals).

 

below is an example of a line of binary data, written by that chunky lense shown above. Note that the lines are repeated to represent the size of the line of data (not that the 0s and 1s are repeated six times -- that would just be silly)

 

 

00010110111001x

00010110111001x

00010110111001x<-- chunky lense wrighting data

00010110111001x

00010110111001x

00010110111001x

 

 

now, imajine that the data is deleted and written over. because the disk 'wobbles' as it is in use, the lense may not be alighned 100% accurately over the line of data, so it will over-right most, but not all, of the data like so:

 

 

01011010101110x

01011010101110x

01011010101110x<--chunky lense wrighting data

01011010101110x

01011010101110x

01011010101110x

00010110111001 <---------remenant of previouse data.

 

now we get this:

 

01011010101110

01011010101110

01011010101110

01011010101110

01011010101110

01011010101110

00010110111001

 

notice how, due to the wobble, theire are essentially two lines of data here - the larger new line (a single bit of info from this line is shown in blue above), and the smaller older line of data (one bit of info picked out in green above)

 

noooow, when the lense comes to reading the data it can 'wobble' again and read both data streams like thus:

 

 

01011010101110

01011010101110x

01011010101110x<--chunky lense reading data data

01011010101110x

01011010101110x

01011010101110x

00010110111001x

 

which isnt actually a problem. the last bit of data that it reads (shown above in red) is predominantly '0', and only a little bit '1', so the chunky lense doesnt even notice the '1' from the old data; the bit is read as a '0' and everything works ok.

 

forensicly, it is possible to put the disk from the hdd into another hdd with a smaller lense, for example

 

x <-- small lense.

 

this forensic hdd is well made and runs at a slow speed, to minimise wobble.

 

now, when the disk is read, the area looked at is much smaller (shown in blue):

 

01011010101110x <--thin lense reading

01011010101110

01011010101110

01011010101110

01011010101110

01011010101110

00010110111001

 

in the above example, the lense would read '01011010101110', which is the new data -- nothing spesial there.

 

on the next pass, it would read another thin sextion of the line of data. eg:

 

01011010101110

01011010101110x <--thin lense reading

01011010101110

01011010101110

01011010101110

01011010101110

00010110111001

 

again, the lense would read '01011010101110', which is still the new data -- so still nothing spesial there.

 

eventually, the lense would read the bottom part of the line of data like thus

 

01011010101110

01011010101110

01011010101110

01011010101110

01011010101110

01011010101110

00010110111001x <--thin lense reading

 

now the lense reads '00010110111001', which is the old data that had been deleted and written over. ta da! deleted and over-written data retrieved.

 

sorry if that was a tad long-winded.

Posted
Where on the hard drive is the information stored that one part of a file belongs to another part of a file?
if you mean what i think you mean, then i believe it is vaguely similar to how the tags on this forum work.

 

so, the data is written in thus format (although obviously in binary):

 

[file=C:\user\bob\desktop\shopping_list]01110101001101010110[/file]

 

if its fragmented, id assume its:

 

[file=C:\user\bob\desktop\shopping_list.txt]0111010100[fragmented:goto disk location blah][/file]

 

then at location 'blah', there would be

 

[file=FRAG2.C:\user\bob\desktop\shopping_list.txt]1101010110[/file]

 

and if the file [file=C:\user\bob\desktop\shopping_list.txt]01110101001101010110[/file] is deleted, it becomes

 

[delete][file=C:\user\bob\desktop\shopping_list.txt]01110101001101010110[/file][/delete]

 

in which case new data can be written over it.

 

that may be a tad incorrect, but its vaguely how it works. forensically, a program is used which displayes the sourse code rater than interpreting it like windows does (ie, windows will completely ignoor something in the [delete]tags, but the code-viewing software will still display the code -- id assume a simple copying of the data, removing the delete tags and saving it to disk then viewing with the appropriate program (and obviously locating all of the file fragments) will allow retrieval of the data.

Posted
Just curious as to what is possible with todays technology. What equipment/tools is available (Professional and Amature) to analyze computers for evidence.
ultimately, people will be the best tool, as people are actually more versatile than programs in interpreting code.

 

for example, if you right-click on this page and select 'view source code/view page source', you get the XHTML code for this page. if any part of this code becomes corrupted, it runs the risk of the file, or part of the file, not being readable by a programme.

 

take this bit for illustration of my point:

 

 

.tcat a:hover, .tcat a:active
{
color: #FFFF66;
text-decoration: underline;
}

 

say it gets randomly corrupted, and the 'x' of text is deleted, giving

 

.tcat a:hover, .tcat a:active
{
color: #FFFF66;
tet-decoration: underline;
}

now, as 'tet-decoration' isnt a valid XHTML value, the web-browser which is reading it wont understand the variable which follows, and so will not do anything with that entire line of code

 

(in this case, umm, lesse, i believe that the code means that when the curser is plased over the link, that it should change colour to whatever colour #FFFF66 is, and also should become underlined. the deletion of the x means either that the link will change colour but not become underlined, or that entire segment of code will become unreadable and so nothing will happen when the cursor is put over the link)

 

a human, however, can look at the line 'tet-decoration: underline;' and understand what it means, and even fix it by inserting the missing x.

 

thats why humans are the most inportant tool.

 

a slightly better example could be this:

 

<!-- post #173863 -->
<!-- open content container -->

<div align="center">
	<div class="page" style="width:100%; text-align:left">
		<div style="padding:0px 15px 0px 15px">
<div style="padding:0px 0px 6px 0px">

<table class="tborder" cellpadding="6" cellspacing="0" border="0" width="100%" align="center">
<tr>

	<td class="thead" style="font-weight:normal" >		
		<!-- status icon and date -->

		<a name="post173863"><img class="inlineimg" src="http://www.scienceforums.net/forums/images/statusicon/post_old.gif" alt="Old" border="0" /></a>
		Yesterday, 03:38 PM

		<!-- / status icon and date -->				
	</td>
	<td class="thead" style="font-weight:normal" align="right">
		 
<!-- checks for warning system -->






<!-- end of warning system -->

		#<a href="showpost.php?p=173863&postcount=2" target="new"><strong>2</strong></a>

	</td>

</tr>
<tr valign="top">
<td class="alt2" width="175">

		<div id="postmenu_173863">

			<a class="bigusername" href="member.php?u=1747">5614</a>
			<script type="text/javascript"> vbmenu_register("postmenu_173863", true); </script>

		</div>


		<div class="smallfont">Scientist</div>



			<div class="smallfont">
				 <br /><a href="member.php?u=1747"><img src="image.php?u=1747&dateline=1115977451" alt="5614's Avatar" border="0" /></a>
			</div>


		<div class="smallfont">
			 <br />
			<div><span style="font-style: italic;">Join Date:</span> Jun 2004</div>

			<div><span style="font-style: italic;">Location:</span> London, UK</div>

			<div>
				<span style="font-style: italic;">Posts:</span> 3,304
			</div>

			<div style="padding-top: 5px;"> <a href="#" onclick="return imwindow('aim', '1747', 400, 200)"><img src="http://www.scienceforums.net/forums/images/misc/im_aim.gif" alt="Send a message via AIM to 5614" border="0" /></a> <a href="#" onclick="return imwindow('msn', '1747', 400, 200)"><img src="http://www.scienceforums.net/forums/images/misc/im_msn.gif" alt="Send a message via MSN to 5614" border="0" /></a> </div>

		</div>					

</td>
<td class="alt1">
<TABLE width=100%><TR>
	<TD width=90%>

	</td>


		<TD width=10% align="right">



		</td>


	</tr></table>

		<hr size="1" style="color:#C1C1D1" />


	<!-- message -->
	<div>What do you want to do? <i>It's not clear</i>. Do you want to search a suspect computer for possible evidence? Do you have it in front of you, or are you doing this remotely?<br />
<br />
In any case special software is used, the public can normally get similar things, although the best quality is stuff is either expensive or not available to the public.</div>
	<!-- / message -->




	<!-- sig -->

		<div> 

which i believe is the first part of the coding to display this post by 4nums. now, if im reading this right (and its entirely possible that im not, what with not being able to read XHTML and what not, but here goes) i believe that a corruption the second line of code

 

(ie: <!-- open content container --> )

 

would render that entire bit of code incomprehensible to a computer programe as the interpretation of everything that follows is dependant on knowing that it should be in a content container (possibly). however, everything that follows is still understandable by a human reading the source code, most notably the last bit,

 

<!-- message -->
	<div>What do you want to do? <i>It's not clear</i>. Do you want to search a suspect computer for possible evidence? Do you have it in front of you, or are you doing this remotely?<br />
<br />
In any case special software is used, the public can normally get similar things, although the best quality is stuff is either expensive or not available to the public.</div>
	<!-- / message -->




	<!-- sig -->

		<div>

which means that his mesage can still be read, even though the code that precedes it might be shafted to the point that a programe could not read anything past that point.

 

or something. i cant code myself, so feel free to correct any errors.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.