Digital Forensics: Digital forensics is the process of uncovering and interpreting electronic data. The goal of the process is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events. The rapid growth and development in technology have made the computer as a weapon which can cause great loss if used with wrong intentions. Computer forensics aims at collecting, and analyzing evidence from the seized devices in such ways so that they are admissible in the court of law. Show
Anti-forensics: Is collection of tricks and techniques that are used and applied with the clear aim of forestalling the forensic investigation. Crime and crime prevention go hand in hand. Once a crime surfaces, then the defense is developed, then a new crime counters the new defence. Hence along with continuous developments in forensics, a thorough study and knowledge of developments in anti-forensics are equally important. Types of Anti-forensic techniques:-
In this article, we will discuss the first two anti-forensics methods and will use the tools to evade those techniques. Rest of the techniques will be defines in upcoming Articles. Artifact Wiping / Wiping a Drive: The methods used in artifact wiping are tasked with permanently eliminating particular files or entire file systems. This can be accomplished through the use of a variety of methods that include disk cleaning utilities, file wiping utilities and disk degaussing/destruction techniques. Artifacts wiping is similar to destroying evidence. If someone unknowingly or intentionally leaves some artifacts in the system, then wiping this information is called artifact wiping. Deleting a file does not remove file content from the disk. Deleting a file means only deallocate the “MFT4 ” or “INODE5” So recovery of the deleted files is the easy task. Wiping ensures that the file can not be recovered using any tool (Software or program) in the world. In traditional crime “artifacts wiping” is similar to removing fingerprints from the tool or clear the evidence from the crime scene. The process of wiping a hard drive seeks to make data unreadable. Reformatting a drive or deleting files does not erase those files, the data remains. Using a program that overwrites the information is common, as the more times data is overwritten, the less readable the previous data becomes. More skilled criminals may go farther by using the Linux dd command to wipe the drive forensically. Some may also engage in degaussing, which is a procedure in which a hard drive is exposed to a powerful magnet to erase a drive. This can cause complete deletion of all files, which cannot be recovered in the future. Forensic examiners can be helped by the existence of file fragments, as well as seemingly unrelated data. For instance, a chat sync folder could help to recover wiped Skype conversations even if the Skype database has been wiped/deleted. Tools used for Artifact wiping/wiping a Drive: Linux DDEraser, File Shredder, R-wipe, DBAN
e.g.: Bash script for file wiping, optimizing Linux DD #!/bin/bash HISTFILE=/dev/null echo -n “Insert a file name or path of file: “ read i if [ -f $i ] then size=”$( stat — printf=”%s” $i)” dd if=/dev/zero of=$i bs=1 count=$size rm -f $i else echo $i “File Not Found”
For recovering the deleted evidence we use the following tools. Easeus: EaseUS Data Recovery Wizard is a data recovery program that utilizes a Wizard user interface to guide users through the data recovery process. You can download the tools using the link. https://www.easeus.com/ On the home page, it gives you the options which types of files you want to recover. Here we have selected all. Now I will plug my flash drive into the system and will check for the deleted files **Here flash drive is showing with the name of DeepakBhatt**. Now I will start the scan to search for the deleted files. After taking some time it will show me the data the has been deleted from my pen drive. Deleted files will be indicated as d and from there you can recover the files that are deleted Again this tool is very important to recover the files that are been deleted by the attackers and can be present later in the court of law. Mini Tool: Many times it happens that instead of deleting the single file or folder the attackers delete the whole partition. Using Mini tool the forensic investigator can recover the deleted partition along with the data present inside it. Which they can use as evidence and present it in the court of law to put the attackers behind the bars. This tool home screen will show you the partition deleted and you can select the partition to recover it and the data present inside the deleted partition. Once the scan is finished you will get the exact information of the files which are present inside the deleted partition. You can recover the data by clicking on the restore option. These are the methods are used by forensic investigators to defeat Anti-forensics techniques. In our next article, we will discuss the rest of Anti-forensic techniques and how to defeat them. For more Information https://www.infosectrain.com/courses/comptia-cysa/ Till then stay tuned. Enjoy. ☺☺☺☺ Which of the following is the common default disk image format for DD acquired forensic images?E01 forensic image file format is the default imaging option for many computer forensics tools and has become a de-facto standard of sorts. While somewhat lesser known, the raw image file format also produces a bit for bit copy of the contents of a drive.
Which of the following is the first step when using Linux to create a forensic copy?The first step in any computer forensic investigation is to make a copy of the suspected storage device. The information in a routing table is more volatile than a network topology.
When conducting data for forensics Which of the following describes data stored local hard drive?The two basic types of data that are collected in computer forensics are persistent data, or data stored on a local hard drive (or another device) which is preserved when the computer is turned off and volatile data, or data that is stored in memory and lost when the computer loses power.
Is an example of volatile data?The data within the volatile memory is stored till the system is capable of, but once the system is turned off the data within the volatile memory is deleted automatically. RAM (Random Access Memory) and Cache Memory are some common examples of volatile memory.
|
![The hartford convention drafted amendments that would [more than one possible answer]](https://ap.cdnki.com/r_the-hartford-convention-drafted-amendments-that-would-more-than-one-possible-answer---1532c88259757027b215c2b85865cf47.webp)
