Hard disk is an important source of the information, by the point of view of the investigator. Thus, an investigator should know the structure and behavior of the hard disk. The data to be collected as the evidence from the hard disk has to be located and protected from perishing. Hence, all the necessary information about the hard disk should be known to the investigator. Also, the file system is important as the data storage and distribution in the hard disk is dependent on the file system used.
On completion of this chapter, an investigator gets familiar with disk drive, types of hard disk interfaces, and understanding of file systems, disk partitions, and various hard disk evidence collector tools.
Digital Evidence is delicate information which needs to be collected and preserved carefully. Now-a-days, the use of digital devices is increased drastically and thus the use of such digital devices in crime is more than the previous. Hence, an investigator needs to deal with the evidence collection and preservation of the evidences from the digital device.
This chapter will introduce you how to find the digital evidence from the computer system or any electronic devices that contains digital data in forensically sound manner. This chapter discusses about digital media devices such as: tapes, floppy disks, CDs, DVDs, iPods, flash memory cards, and USB flash drives.
Booting is the process of loading an operating system into the computer's main memory or random access memory (RAM). Once the operating system is loaded, the computer is ready for users to run applications. This chapter describes the terminologies and basic booting process in Windows XP, Linux, and Mac OS X operating systems. It also emphasizes the various step by step booting processes for windows Linux and Mac OS X.
When a Windows based system is investigated for gathering evidence and relevant facts, it involves several steps for collecting volatile data. Volatile data contains the current information about the machines, registers, caches, etc. This chapter familiarizes with the process of forensic investigation in windows based environment. It also highlights the various tools that help in the investigation process to solve windows crimes.
Windows operating system maintains the logs of the activities done by the user and also the changes taking place on the system. These logs are important by the point of view of the investigation as it shows the things which happened on the system and changes taken place. These logs are stored on the specific location in the system; an investigator should have knowledge of the system as it will help to extract the logs and use it as evidence.
This chapter explains about the text based logs and forensic analysis of the event based logs. It also covers the password issues encountered during the investigation.
Linux is an important and widely used operating system. Many users opt for the Linux as it is free and open source. Forensic investigator should know how to investigate the Linux system and where to search for the evidences. A detailed and good knowledge about the Linux system will help the investigator in the investigation process.
This chapter familiarizes with the Linux forensic investigation process. It discusses the analysis techniques such as Floppy Disk Analysis and Hard Disk Analysis. It also emphasizes several popular Linux tool kits that provide GUI as well for convenience and their search techniques.
A password cracker is an application program that is used to identify an unknown or forgotten password to a computer or network resource. It can also be used to help a human cracker to obtain unauthorized access to resources.
This chapter deals with password crackers and tools used in the password recovery. It throws light on delicate concepts, such as ways to bypass BIOS passwords, remove CMOS batteries, and Windows XP/2000/NT keys. It also enumerates the BIOS password crackers and explains the passware kit. It also highlights topics such as the default password database and distributed network attacks.