Term
|
Definition
Basic Input Output System |
|
|
Term
|
Definition
- Followed in the disk specified in CMOS-RAM, uses the first OS available Ability to boot from OS not in the hard disk drive is important feature for digital investigations
|
|
|
Term
|
Definition
- Computers use binary number format Only 0s and 1s Each 0 or 1 Are organized into groups of 8 The smallest amount of space that is typically allocated to data Can hold only 256 values so they are grouped together to store large numbers. Typical sizes include 2, 4, or 8
|
|
|
Term
|
Definition
- There are ten symbols (1, 2, 3, 4, 5, 6, 7, 8, 9, 0) Is a series of these symbols, and each symbol has a value. The symbol to the right most has a value of one, the next one has a value that is ten times as much as the previous
|
|
|
Term
|
Definition
- Has only two symbols (0 and 1) and each column has a decimal value that is two times as much as the previous column Max value for a fixed bit size 2^8-1 = 255, 2^32-2 = 4,294,967,295
|
|
|
Term
|
Definition
- Has 16 symbols (the numbers 0 to 9 followed by the letters A to F) Each column has a decimal value that is 16 times as much as the previous column "0x" is used as a prefix
|
|
|
Term
|
Definition
- Again, one byte can hold only 256 values To store more than 256 different values, Bytes are grouped together Typical sizes include 2, 4, or 8 Bytes
|
|
|
Term
|
Definition
- Computers know the layout of the data because of these Describes how data are laid out It works like a template or map. It is broken up into fields, and each field has a size and name, although this information is NOT saved with the data
|
|
|
Term
|
Definition
- One of the most common sources of digital evidence
|
|
|
Term
| Host Protected Area (HPA) |
|
Definition
- A special area of the disk that can be used to save data A casual observer (including OS) might not see it. IDE controller has registers that contain information about the connect hard drive that can be queried using ATA commands OS uses IDENTIFY_DEVICE to find out the size of a hard drive HPA-aware S/W or firmware(e.g., BIOS) can read HPA data.
|
|
|
Term
|
Definition
- HPA is created at the end of hard disk
|
|
|
Term
| Writing to a Disk or Image File |
|
Definition
- Create a duplicate copy using HDD - Must be wiped with zeros - Can be modified once mounted Create an image file in HDD or any storage - More common way - No automatic mount - Can be broken into smaller images to fit smaller storages than source disk
|
|
|
Term
| Error Handling in Forensic Image |
|
Definition
- Do not ignore any bad sector. Rather log its address and write 0s for it
- This will keep other data in a correct location
Original
342622 xxxxxx xxxxxx 826193 153068 xxxxx 648633 774628
Copy
342622 000000 000000 826193 153068 000000 648633 774628 |
|
|
Term
|
Definition
- May include additional descriptive data about acquisition time/date
- Raw image is most flexible
- Embedded image is common for proprietary solutions
A) Raw Image |----------------|
B) Embedded Image ||-------||--------||--------||-----|
C) Raw Image |---------| External metadata |-| |-| |-| |-| |
|
|
