Cyber Crime and Cyber Terrorism

Download 5,67 Mb.

Pdf ko'rish

bet	90/283
Sana	19.05.2022
Hajmi	5,67 Mb.
	#604880

1 ... 86 87 88 89 90 91 92 93 ... 283

Bog'liq
Cyber crime and cyber terrorism investigators handbook by Babak

SEARCHING FOR EVIDENCE
KEYWORD AND PHRASES SEARCH

83

Recovering deleted information
marked for re-use. This information itself is recorded in special files used by the
file system, and therefore the file table itself will have a self-referencing entry. With
NTFS the two files used to store this information are $MFT and $Bitmap, the former
holds the information concerning the files and later concerning which clusters are
used and unused.
SEARCHING FOR EVIDENCE
There are many forensic tools available to allow forensic analysis, some are propri-
etary, and others are on free or open source licenses. Proprietary tools such as Encase
(
Guidance Software, 2014
) and FTK (
Access Data, 2014
) are used extensively by
law enforcement, with freeware open source tools such as Autopsy (
Carrier, 2013
)
gaining popularity with independent investigators and consultants. Individual tools
have their own sets of strengths and weaknesses and it is not the intention to compare
them here. However, they do carry some similarities in terms of functionality and
operation, and the objectives of the investigation are the same regardless of the tool
or tools selected. Thus the discussion in this section then will cover how artifacts are
discovered and uncovered from hard drives and will not focus on the practicalities of
how the tools are used to achieve this (also see Chapters 6 and 8).
KEYWORD AND PHRASES SEARCH
The primary tool of most investigative forensic software is its search facility.
Searching can be performed for a word or phrase which is pertinent to the inves-
tigation. The word or phrase could match on the hard drive as ASCII text or may
form part of a composite file. Composite files are those which rely on an application
to render its information, for example, zip files, email files, Microsoft Office and
Adobe documents; most investigative tools can render the formats for most com-
mon composite files. Searches can also be used to find files themselves by matching
keywords against their file names. Particular composite file types can be identified
and catalogued too, for instance, image files such as jpeg, bmp, and png files. These
searches should be performed using the files magic numbers which were discussed
earlier. This prevents malicious parties hiding a files true purpose by changing its
extension. Most forensic tools offer a facility to mark any evidence you find of con-
sequence and associate it with a case. Some also allow the ability to view files using
inbuilt native applications which would not write to the evidence, thus maintaining
its integrity (see Chapter 6).

Download 5,67 Mb.

Do'stlaringiz bilan baham:

1 ... 86 87 88 89 90 91 92 93 ... 283