Cyber forensics

Module 2

SYLLABUS

2.1 Methods of storing data:

2.1.1 Number system: -

The number system or the numeral system is the system of naming or representing numbers. We
know that a number is a mathematical value that helps to count or measure objects and it helps in
performing various mathematical calculations. There are different types of number systems in
maths like decimal number system, binary number system, octal number system, and
hexadecimal number system.

WHAT IS A NUMBER?
A number is a mathematical value used for counting or measuring or labelling objects. Numbers
are used to perform arithmetic calculations.  Examples of numbers are natural numbers, whole
numbers, rational and irrational numbers, etc. 0 is also a number that represents a null value. 
A number has many other variations such as even and odd numbers, prime and composite
numbers. Even and odd terms are used when a number is divisible by 2 or not, whereas prime
and composite differentiate between the numbers that have only two factors and more than two
factors, respectively.
In a number system, these numbers are used as digits. 0 and 1 are the most common digits in the
number system, that are used to represent binary numbers. On the other hand, 0 to 9 digits are
also used for other number systems. Let us learn here the types of number systems.

TYPES OF NUMBER SYSTEM

There are various types of number systems in mathematics. The four most common number
system types are:

1. Decimal number system (base- 10)

2. Binary number system (base- 2)
3. Octal number system (base-8)
4. Hexadecimal number system (base- 16)
5. Now, let us discuss the different types of number systems with examples.

DECIMAL NUMBER SYSTEM (BASE 10 NUMBER SYSTEM )

The decimal number system has a base of 10 because it uses ten digits from 0 to 9. In the
decimal number system, the positions successive to the left of the decimal point represent
units, tens, hundreds, thousands and so on. This system is expressed in decimal numbers.
Every position shows a particular power of the base (10).
Example of decimal number system:
The decimal number 1457 consists of the digit 7 in the units position, 5 in the tens place,
4 in the hundreds position, and 1 in the thousands place whose value can be written as:
(1×103) + (4×102) + (5×101) + (7×100)
(1×1000) + (4×100) + (5×10) + (7×1)
1000 + 400 + 50 + 7
1457

Base 2 number system example

∴ (14)10 = 11102
Octal number system (base 8 number system)
In the octal number system, the base is 8 and it uses numbers from 0 to 7 to represent numbers.
Octal numbers are commonly used in computer applications. Converting an octal number to
decimal is the same as decimal conversion and is explained below using an example.
Example: convert 2158 into decimal.
Solution:
2158 = 2 × 82 + 1 × 81 + 5 × 80
= 2 × 64 + 1 × 8 + 5 × 1
= 128 + 8 + 5
= 14110

HEXADECIMAL NUMBER SYSTEM (BASE 16 NUMBER SYSTEM)

In the hexadecimal system, numbers are written or represented with base 16. In the hex system,
the numbers are first represented just like in the decimal system, i.e. From 0 to 9. Then, the
numbers are represented using the alphabet from a to f. The below-given table shows the
representation of numbers in the hexadecimal number system.

Hexadecimal 0 1 2 3 4 5 6 7 8 9 A B C D E F

Decimal 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

NUMBER SYSTEM CONVERSION

Numbers can be represented in any of the number system categories like binary, decimal, hex,
etc. Also, any number which is represented in any of the number system types can be easily
converted to other. Check the detailed lesson on the conversions of number systems to learn how
to convert numbers in decimal to binary and vice versa, hexadecimal to binary and vice versa,
and octal to binary and vice versa using various examples.
With the help of the different conversion procedures explained above, now let us discuss in brief
about the conversion of one number system to the other number system by taking a random
number.
Assume the number 349. Thus, the number 349 in different number systems is as follows:
The number 349 in the binary number system is 101011101
The number 349 in the decimal number system is 349.
The number 349 in the octal number system is 535.
The number 349 in the hexadecimal number system is 15d
2.1.2 Character codes:-
Alternatively referred to as the character set, charset, and character encoding, a character
code describes a specific encoding for characters as defined in the code page. Each character
code defines how the bits in a stream of text are mapped to the characters they represent. Ascii is
the basis of most code pages; for example, the value for a character "c" is represented by 67 in
ascii.
WHAT IS CHARACTER ENCODING SYSTEM ?
As we all know, computers do not understand the english alphabet, numbers except 0 and 1, or
text symbols. We use encoding to convert these. So, encoding is the method or process of
converting a series of characters, i.e, letters, numbers, punctuation, and symbols into a special
or unique format for transmission or storage in computers. Data is represented in computers
using ascii, utf8, utf32, iscii, and unicode encoding schemes. All types of data, including
numbers, text, photos, audio, and video files, can be handled by computers. For example, 65 is
represented as a because all the characters, symbols, numbers are assigned some unique code
by the standard encoding schemes. Some of the commonly used encoding schemes are
described below:
1. Ascii: ascii is known as american standard code for information interchange. The x3 group,
part of the asa, produced and published ascii for the first time in 1963. (american standards
association). The ascii standard was first published in 1963 as asa x3.4-1963, and it was
revised ten times between 1967 and 1986. Ascii is an 8-bit code standard that divides the 256
slots into letters, numbers, and other characters. The ascii decimal (dec) number is constructed
using binary, which is the universal computer language. The decimal value of the lowercase
“h” character (char) is 104, which is “01101000” in binary.
The ascii table is broken down into three sections.
1. Non-printable, system codes between 0 and 31.
2. Lower ascii, between 32 and 127.
3. Higher ascii, between 128 and 255.
Ascii table for characters:

Letter Ascii code Letter Ascii code

A      97 A 65

B        98 B 66

C    99 C 67

D    100 D 68
Letter Ascii code Letter Ascii code

E      E 69
101

F      102 F 70

G   103 G 71

H      104 H 72

I    105 I 73

J   106 J 74

K    107 K 75

L    108 L 76

M  109 M 77

N    110 N 78

O    111 O 79

P    112 P 80

Q     113 Q 81

R    114 R 82

S    115 S 83

T    116 T  84

U    117 U 85
 Letter Ascii code Letter Ascii code

V    118 V 86

W    119 W 87

X    120 X 88

Y    121 Y 89

Z    122 Z 90

2. Iscii: iscii (indian script code for information interchange) is the abbreviation for the indian
script code for information interchange. Iscii is a method of encoding that can be used to
encode a wide range of indian languages, both written and spoken. To ease transliteration
across multiple writing systems, iscii adopts a single encoding mechanism.
Iscii was established in 1991 by the bureau of indian standards (bis). It has a character count of
roughly 256 and employs an 8-bit encoding technique. From 0-127, the first 128 characters are
the same as in ascii. The following characters, which range from 128 to 255, represent
characters from indian scripts.
Advantages include:
1. The vast majority of indian languages are represented in this.
2. The character set is simple and straightforward.
3. It is possible to easily transliterate between languages.
Disadvantages include:
1. A special keyboard with iscii character keys is required.
2. Because unicode was created later, and unicode included iscii characters, iscii became
obsolete.iscii (indian script code for information interchange) is the indian script code for
information interchange.
3. Iscii is a method of encoding that can encode a wide range of indian languages, both
written and spoken. To ease transliteration across multiple writing systems, iscii adopts a
single encoding mechanism.
3. Unicode:  unicode characters are translated and stored in computer systems as numbers (bit
sequences) that the processor can handle. In unicode, a code page is an encoding system that
converts a set of bits into a character representation. Hundreds of different encoding techniques
allocated a number to each letter or character in the globe before unicode. Many of these
methods used code pages with only 256 characters and each of which required 8 bits of
storage. 
1. Unicode enables the creation of a single software product or website for multiple platforms,
languages, and countries (without re-engineering), resulting in significant cost savings over
older character sets.
2. Unicode data can be used without generating data corruption in a variety of systems.
3. Unicode is a universal encoding technique that can be used to encode any language or letter
irrespective of devices, operating systems, or software.
4. Unicode is a character encoding standard that allows you to convert between multiple
character encoding systems. Because unicode is a superset of all other major character
encoding systems, you can convert from one encoding scheme to unicode and then from
unicode to a different encoding scheme.
5. The most extensively used encoding is unicode.
6. The applicable versions of iso/iec 10646, which defines the universal character set
character encoding, are fully compatible and synchronized with unicode standard versions.
Or we can say that it includes 96,447-character codes that are far enough to decode any
character symbol present in the world.

4. Utf-8: it is a character encoding with variable widths that are used in electronic
communication. With one to four one-byte (8-bit) code units, it can encode all 1,112,064[nb 1]
valid unicode character code points. Code points with lower numerical values are encoded with
fewer bytes since they occur more frequently. When it was created the creators make sure that
this encoding scheme is ascii compatible and the first 128 unicode characters that are one-to-
one to ascii are encoded using a single byte with the same binary value as ascii and ensure that
ascii text is also valid utf-8-encoded unicode.
Converting symbols to binary:

Character Ascii Byte

A        65 1000001

A            97 1100001

B                  66 1000010

B           98 1100010

Z                  90 1011010

0                    48 110000

9                    57 111001

!   33 100001
 Character Ascii Byte

?   63 111111

5. Utf-32: utf-32 is known as 32-bit unicode transformation format. It is a fixed-length

encoding that encodes unicode code points using 32 bits per code. It uses 4-bytes per character
and we can count the number of characters in utf-32 string simply by just counting bytes. The
main advantage of using utf-32 is that unicode code points can be directly indexed (although
letters in general, such as “grapheme clusters” or some emojis, cannot be directly indexed, thus
determining the displayed width of a string is more complex). A constant-time operation is
finding the nth code point in a sequence of code points. On the other hand, a variable-length
code necessitates sequential access to locate the nth code point in a row. As a result, utf-32 is a
straightforward substitute for ascii code that examines each issue in a string using numbers
incremented by one.

2.1.3 Record structures:-

Record structure (organization of records in a file):
A record is defined as a set of fields that belong together when the field is viewed in terms of a
higher level of organization. A record in a file is represented as a structured data object. The term
object is used to refer to data residing in memory and the term record is used to refer to data
residing in a file.
The various methods used to organize the records of a file are:
1. Make records a predictable no of bytes.
2. Make records a predictable no of fields.
3. Begin each record with a length indicator.
4. Use an index to keep track of addresses.
5. Place a delimiter at the end of each record.

Method 1: make records a predictable no of bytes.(fixed-length records)

A fixed length record file is one in which each record contains the same number of bytes. The
record size can be determined (fixed) by adding the maximum space occupied by each field. This
method is also called as counting bytes structure. Here, the size of the entire record is fixed, the
fields inside the record can be of varying size or of fixed size.

Fixed length records with the fixed length fields-

Fixed length records with variable length fields-

Method 2: make records a predictable number of fields.

In this method the number of fields in each record is fixed. This method is also called as fixed
field count structure. Assuming that every record has 5 fields, then each record can be displayed
by counting the fields modulo five.

Method 3: begin each record with a length indicator

In this method, every record would begin with an integer,that indicates how many bytes are there
in the rest of the record. This is a commonly used method for handling variable length records.

Method 4: use an index to keep track of addresses:

An index is used to keep a byte offset for each record. The byte off set allows us to find the
beginning of each successive record and compute the length of each record. The position of any
record can be taken fom the index files then seek to the record in the data file.

Method 5: place a delimiter at the end of each record.

In this method, a special character other than the field delimiter is placed at the end of each
record, which when encountered indicated the end of the record. In the below example, the #
character is taken as record delimiter.
2.1.4 File formats and file signatures:-
Files may contain all different types of data such as images, videos, documents, text files or
spreadsheets. Even applications are files. So there is a question of how the operating system
recognizes a chunk of data as an image or a text file.
The answer is that each file has a type and one common technique for implementing file types is
to include the type as part of the file name. The name is split into two parts—a name and an
extension, usually separated by a period, for example, resume.docx, server.c etc.

In this way, the user as well as the operating system can tell from the name alone what the type
of a file it is. Most operating systems allow users to specify a file name as a sequence of
characters followed by a period and terminated by an extension made up of additional characters.

The use of the extension not only helps the system to indicate the type of the file but also the
type of operations that can be done on that file; for example, only a file with a .com, .exe, or .sh
extension can be executed.

Application programs also use extensions to indicate file types in which they are interested. For
example, java compilers expect source files to have a .java extension, and the Microsoft word
processor expects its files to end with a .doc or .docx extension. 

Common file types:

File signatures/magic numbers

File signatures (also known as file magic numbers) are bytes within a file used to identify the
format of the file. Generally they’re 2-4 bytes long, found at the beginning of a file

Files, however, do not necessarily always have an extension. At times, the user may intentionally
rename and give the file a wrong extension and thus, in such cases, an extension may not even
reflect the actual file format. Nevertheless, in that case, the system can try a number of other
techniques to determine the file type, so that it can open that file in the most appropriate
program.
Magic numbers, also called a file signature, are the first few bytes of a file that are unique to a
particular file type, and as a result, provides information about the data contained within the
actual file. These few bytes of numerical and text values at the beginning of a file can be used by
the system to “differentiate between and recognise different file formats/types” without a file
extension.

For example, gif images, always begin with the ascii representation of either gif87a or gif89a,
depending upon the standard to which they adhere. 

These sequence of bytes are essential for a file to be opened and changing it may render the file
useless as most tools will not access these files due to potential damaging. However, these magic
numbers/ file signatures are typically not visible to the user but can be viewed and edited with
the help of a hex editor (computer program that allows for manipulation of the binary data that
constitutes a computer file)

If there is a discrepancy between a file’s extension and file signature or if the file is corrupted,
we can examine and repair the file using a hex editor.

HERE ARE SOME OTHER MAGIC NUMBERS:

GRAPHICS FORMATS
 JPEG ANALYSIS . JPEGS. THIS PROVIDES AN ANALYSIS OF JPEG FILES .
 GIF ANALYSIS . GIFS . THIS PROVIDES AN ANALYSIS OF GIF FILES.
 TIF ANALYSIS . TIFS . THIS PROVIDES AN ANALYSIS OF TIF FILES.
 P NG ANALYSIS . PNGS . THIS PROVIDES AN ANALYSIS OF PNG FILES.
 B MP ANALYSIS . B MPS. T HIS PROVIDES AN ANALYSIS OF BMP FILES .
  PSD ANALYSIS. PSDS. THIS PROVIDES AN ANALYSIS OF PSD FILES.
 WMF ANALYSIS . WMF . THIS PROVIDES AN ANALYSIS OF WMF FILES.
 ADOBE ILLUSTRATOR ANALYSIS . AI. THIS PROVIDES AN ANALYSIS OF AI FILES.
 ADOBE IN DESIGN ANALYSIS . INDD . THIS PROVIDES AN ANALYSIS OF INDD FILES.
 MIDI FILE . MIDI. THIS PROVIDES AN ANALYSIS OF MID FILES.
 ICO FILE . ICO. THIS PROVIDES AN ANALYSIS OF ICO FILES.
 PS FILE. PS. THIS PROVIDES AN ANALYSIS OF PS FILES.
 EPS FILE . EPS . THIS PROVIDES AN ANALYSIS OF EPS FILES.
 VSD FILE . VSD . THIS PROVIDES AN ANALYSIS OF MICROSFT VISIO (VSD) FILES.

VIDEO AND AUDIO FORMATS

 MP3 ANALYSIS . MP3 S. THIS PROVIDES AN ANALYSIS OF MP 3 FILES.
 AVI ANALYSIS . AVIS . THIS PROVIDES AN ANALYSIS OF AVI FILES .
 F LASH SWF ANALYSIS . SWFS. THIS PROVIDES AN ANALYSIS OF FLASH FILES .
 F LASH FLV ANALYSIS . FLVS. THIS PROVIDES AN ANALYSIS OF FLV FILES.
 MP4 ANALYSIS . MP4 . THIS PROVIDES AN ANALYSIS OF MP 4 FILES.
 MOV ANALYSIS . MOV. THIS PROVIDES AN ANALYSIS OF MOV FILES.
 WMV ANALYSIS . WMV. THIS PROVIDES AN ANALYSIS OF WMV FILES .
 WMA ANALYSIS . WMA. THIS PROVIDES AN ANALYSIS OF WMA FILES .
 JPEG 2000 ANALYSIS . JPEG 2. T HIS PROVIDES AN ANALYSIS OF JPEG 2000 FILES .
 WAV ANALYSIS . WAV. THIS PROVIDES AN ANALYSIS OF WAV FILES .

ZIPS , ARCHIVES AND LIBRARY FILES

 ZIP/ARCHIVE ANALYSIS . ZIPS . THIS PROVIDES AN ANALYSIS OF ZIP/ACHIVE FILES .
 GZ ANALYSIS . GZ. THIS PROVIDES AN ANALYSIS OF GZIP FILES.
 TAR ANALYSIS . TAR . THIS PROVIDES AN ANALYSIS OF TAR FILES.
 MSI ANALYSIS . MSI . THIS PROVIDES AN ANALYSIS OF MSI FILES.
 OBJ ANALYSIS . OBJ. THIS PROVIDES AN ANALYSIS OF OBJ FILES .
 DLL ANALYSIS . DLL . T HIS PROVIDES AN ANALYSIS OF DLL FILES .
 C AB ANALYSIS . CAB . THIS PROVIDES AN ANALYSIS OF CAB FILES .
 EXE ANALYSIS . EXE . T HIS PROVIDES AN ANALYSIS OF EXE FILES .
 R AR ANALYSIS . RAR . THIS PROVIDES AN ANALYSIS OF RAR FILES .
 S YS ANALYSIS . S YS . THIS PROVIDES AN ANALYSIS OF SYS FILES.
 HLP ANALYSIS . HLP. THIS PROVIDES AN ANALYSIS OF HLP FILES .
 VMDK ANALYSIS . VMDK . T HIS PROVIDES AN ANALYSIS OF VMDK FILES (VMWARE
VIRTUAL DISKS ).
 P ST ANALYSIS . PST. T HIS PROVIDES AN ANALYSIS OF PST FILES (OUTLOOK EMAIL
FILE).
 JAR ANALYSIS . JAR . THIS PROVIDES AN ANALYSIS OF JAR FILES .
 S LN ANALYSIS . S LN. THIS PROVIDES AN ANALYSIS OF MICROSOFT SLN FILES.
 C LASS ANALYSIS . C LASS . THIS PROVIDES AN ANALYSIS OF JAVA CLASS FILES.
 ZLIB. ZLIB. T HIS PROVIDES AN ANALYSIS OF ZLIB FILES .
DOCUMENTS
 P DF ANALYSIS . P DFS. THIS PROVIDES AN ANALYSIS OF PDF FILES .
 DOC ANALYSIS . DOCS . THIS PROVIDES AN ANALYSIS OF DOC FILES .
 R TF ANALYSIS . R TFS. THIS PROVIDES AN ANALYSIS OF RTF FILES.
 XLS ANALYSIS . XLSS. T HIS PROVIDES AN ANALYSIS OF XLS FILES .
 P PT ANALYSIS . P PTS. THIS PROVIDES AN ANALYSIS OF PPT FILES .
 MMP FILE . MMP . THIS PROVIDES AN ANALYSIS OF MMP FILES.
 DOCX ANALYSIS . DOCX. T HIS PROVIDES AN ANALYSIS OF DOCX FILES .
 XLSX ANALYSIS . XLSX. THIS PROVIDES AN ANALYSIS OF XLSX FILES .
 P PTX ANALYSIS . P PTX. THIS PROVIDES AN ANALYSIS OF PPTX FILES .
 MDB ANALYSIS . MDB . THIS PROVIDES AN ANALYSIS OF MDB FILES .
 OUTLOOK MESSAGE ANALYSIS . MSG. T HIS PROVIDES AN ANALYSIS OF MSG FILES .

OTHER TOOLS TO CONSIDER

H EX EDITORS

Revenge:- http://www.sandersonforensics.com/content.asp?Page=325

010 editor:- http://www.sweetscape.com/010editor/

Mcaffee fileinsight:-http://www.mcafee.com/us/downloads/free-tools/fileinsight.aspx

Hex workshop hex editor:- http://www.hexworkshop.com/

Flexhex:-http://www.flexhex.com/

Winhex:-http://www.x-ways.net/winhex/index-m.html

Hhd hex editor neo:-http://www.hhdsoftware.com/free-hex-editor

2.1.5 Structure and analysis of optical media disk formats:-

Organization of disks-
Magnetic disks come in many forms, like hard disk, floppy disk, removable disk. Hard disks
offers high capacity and low cost per bit. Hence, it is commonly used in everyday file
processing. The information stored on a disk is stored on the surface of one or more platters. The
information is stored in successive tracks on the surface of the disk. The read/write head
assembly is used to read and write the data from/to the disk.
Schematic illustration of disk drive
 ea
ch track is often divided into a number of sectors. A sector is the smallest addressable portion of
the disk. When a read statement calls for a particular byte from a disk file, the operating system
finds the correct surface, track and sector. Operating system copies the entire content of the
sector into a special area in memory called the buffer and finds the requested byte with that
buffer. As shown in the above figure, a disk drive has a number of platters. The corresponding
tracks that are below and above one another of different platters form a cylinder.
The significance of the cylinder is that all the information of a single cylinder can be accessed
Without moving the read/write head. Moving the arm holding the read/write head is called
seeking.

This is the slowest activity in reading the information from the disk. In a typical disk, each
platter has two surfaces, so the number of tracks per cylinder is twice the number of platters. The
number of cylinders is same as the no of tracks on the disk surface and each track has the same
capacity. Hence the capacity of the disk is a function of the number of cylinders, number of
tracks per cylinder and the capacity of the track.

A sector consists of group of bytes.

So, track capacity=no of sectors per track*bytes per sector.
Cylinder capacity=no of tracks per cylinder* track capacity.
Drive capacity=no of cylinders*cylinder capacity.
Even though the size of each cylinder is the different, the capacity of each cylinder is same.

Optical media read and write data using a laser light along with a reflective material
incorporated into optical discs. Optical discs are made of a polycarbonate base covered by a thin
layer of aluminium. The disc is then coated with a clear acrylic material for protective purposes.
During the manufacturing process, the disc's surface is embossed with tiny bumps. This series of
bumps form one long, single, spiral track. A laser projects a highly focused beam of light onto
the track. The light is reflected differently from the bumps and the spaces in between, called
“lands.” This change in reflectivity is what the system reads as binary (brain). The most
common types of optical storage media include cds, dvds, and blu-ray discs (brain).

Reading pits & lands- (it is made up of polycarbonate plastic a thin layer of aluminium to
Make reflection surface)
• cd-rom’s are stamped from a glass master disk which has coating that is changed by the laser
beam. When the coating is developed, the areas hit by the laser beam turn into pits and the
smooth, unchanged areas between the pits are called lands.
• when the stamped copy of the disk is read, we focus a beam of laser light on the track. The pits
scatters the light, but the land reflects back most of the light. This alternating pattern of high and
low intensity the original digital information.
• 1’s are represented by the transition from land to pit and back again. 0’s are represented by the
amount of time between transitions. The longer between transitions, the more 0’s we have.

The encoding scheme used is such that, it is not possible to have two adjacent 1’s.1’s are always
separated by 2 or more 0’s. The data read fromtrack has to be translated to 8-bit pattern of 1’s
and 0’s to get back the original data the encoding scheme called efm encoding (eight to fourteen
modulation), which is done through a look up table turn the original 8-bit of data into
14expanded bits, thatis represented as pitsand landson thedisk.

At one time, optical discs were considered a potential replacement for hard disk drives (hdds) in
computing systems, but their lack of growth in capacity compared to both hdds and later flash-
based solid-state drives (ssds) has relegated optical storage use mostly to long-term archiving
and data backup.
Although optical media is more durable and less vulnerable to environmental conditions
than tape, hdds and ssds, optical discs are slower than the typical hdd and significantly slower
than the ssd and offer lower storage capacities than either. Blu-ray disks are currently the fastest
optical media on the market and provide much more capacity than cds and dvds, but they still lag
behind hdds and ssds.

What are common examples of optical media?

Over the years, optical media have taken a variety of forms, including laser disc (ld), hd-dvd,
write-once, read-many (worm) optical cartridges and several others. From this mix, three formats
have emerged as standards in today's optical storage market:

 Compact disk (cd). The cd represents the first generation of commercial optical storage.
After its introduction, it quickly replaced both vinyl records and cassette tapes as the
audio medium of choice. Originally, cds were available only as pre-recorded read-only
disks, but it wasn't long before they became available as recordable discs and rewritable
 discs that could be used for data storage. The cd can hold up to up 700 megabytes (mbs)
of data.

 Digital versatile disc (dvd). Also referred to as the digital video disc, the dvd started out
as a read-only medium similar to cds but with the ability to hold enough data to store a
full-length movie. A single-layer dvd can hold 4.7 gigabytes (gb) of data, and a double-
layer disc can hold 8.5 gb. Not long after dvds were introduced, recordable and rewritable
discs became available for data storage.

 Blu-ray. The blu-ray disk has emerged as clear leader in today's optical storage market.
Unlike cds and dvds, which use a red laser to read and write data, a blu-ray disk uses a
blue laser, which dramatically increases capacities and data transfer rates over cds and
dvds. Today's blu-ray discs can store up to 128 gb of data and are available as read-only
disks that can hold pre-recorded high-definition feature films as well as recordable and
rewritable disks for data storage.

The standard size for all three formats is the same: 120 mm (4.7 inches) in diameter and 1.2 mm
(0.05 inches) thick. This standard makes it possible for blu-ray drives to support dvds and cds
and for dvd drives to support cds. That said, optical drives are compatible only with earlier
formats and not the other way around. Cd drives cannot run dvd or blu-ray discs, and dvd drives
cannot run blu-ray discs.

Analysis of optical media disk formats:-

Interesting for a forensics analysis is the content on the optical media. For the inspection of the
data on the medium the programs x-ways forensics, encase and ftk are very comprehensive. With
their carving technologies they show the complete file contents of the disc. They show content
that is placed in other file formats like pictures in text documents or in compressed archives.
These tools are an opportunity to get the mac time analysis, too. All three programs determined
the date and time of the containing files on disc for a time-line production. The important task for
proof of authenticity can be done with these programs by hash functions. It is also possible to
identify the used burning program and the operating system of a disc. In addition, the study
showed that deleted files can be made readable (only for packet writing). The program isobuster
pro allows to extract all sessions with the previous content. Also the content on multisession
discs can be separately extracted, e.g. For an analysis of a disc with various file formats. An
examination showed that no data could be reconstructed on erased media, even if they made
rewritable by using the quick-erase mode. And there was no possibility to read the data in the
unused area of a multisession disc.

Optical disk formats

Optical disk formats are described by capability, information form, and disk size. The most
familiar capabilities are:
Read only memory (rom, ro)
Permanent, unalterable storage, currently the only firmly established format.
Write once, read many (worm, wo)
New data can be written to the disk, but existing data cannot be altered or erased. The drive head
contains two lasers: one for reading, and a more powerful laser for etching new data pits. Worm
capability may reduce storage capacity by a third. Both 5.25- and 12-inch versions were
marketed around 1985.
Interactive (i)
Stores information in any or all forms, along with interactive programming that allows flexible
access, animates visuals, runs games, etc.; similar to the capabilities of microcomputer software.
Erasable (e)
Information can be deleted and overwritten. This format requires complex technology and is still
being developed.
These capabilities may or may not be available on disks containing different forms of
information--audio, text or data, video or graphics, or a combination. And various forms of
information can be found on different sizes of disk, most often 12 or 4.72 inches in diameter.
Some 12-inch formats are:
 Optical digital data disk (od3, odd): contains digitized information (bits), usually text,
sometimes images, and used primarily in business and research settings. The disk may
have rom or worm capabilities.
 Video disk (videodisc, laser video disk, lv, reflective optical video disk) carries sound
and moving images--movies--as analog (continuous) signals. The disk itself may be
silvery, reflecting colors for a rainbow effect.
 Digital video disk (digitally encoded video disk) contains digital video, audio, and/or
text. Still video is more common than motion video because it is more economical to
store and easier to access. Digital motion video must be converted to analog signals for
playing on standard home televisions. The disk may also include some interactivity
programming.
 Interactive video disk (ivd) stores 54,000 still frames or 30 minutes of full-motion video
with audio. A microcomputer interface allows ivd to gain some interactive capability,
although interactivity is hampered by the analog video signal. This format has
applications in education, business and industrial training, public information terminals,
and games and other entertainment.
Most compact disks (cds) are 4.72 inches across; a few are 5.25 inches. Audio, text, and still
video are stored on cds. The first two formats below are the most commercially successful to
date:
Compact audio disk (digital audio disk; cd-audio)
Contains digital stereo audio signals, generally 75 minutes of high-fidelity, static-free music.
Compact disk-read only memory (cd-rom)
Has tremendous storage capacity, used to store text databases such as bibliographic indexes. One
compact disk holds 550 mb of data, the equivalent of 1,500 floppy disks. This amounts to
275,000 pages of information or 200 pounds of paper. Audio or still video may be integrated
with text. This format is marketed for library, academic, and professional applications.
Compact disk-write once, read many (cd-worm)
Often contains text or text with still images (see worm). Several 5.25-inch formats with write and
possibly erase capabilities are also under development.
Future formats
The next wave of optical disk formats is about to break. This year or next we are likely to see:
Hdtv video disk: a digital format that is readable by high-definition television, with more than
double the number of lines per screen.
O compact disk-interactive (cd-i)
A writable, very adaptable format that will store text, multichannel audio at several quality
levels, still or motion video with low- or high-definition, and animated graphics. Signals may be
all digital or include some analog video. Cd-i players can stand alone or link to home
entertainment systems. This disk and a similar product, compact disk video (cd-video, cd-v), are
targeted for mass-market education and entertainment.
Digital video interactive (dvi)
Similar to cd-i, but a highly integrated system that promises more. Compressed digital signals
allow the storage capacity of cd-rom and more motion video than cd-i and ivd: up to an hour of
video, with multitrack audio. This disk also has the interactive graphics capabilities of a
microcomputer program. Applications include simulations, video paint, special effects, sales
tools, and scientific imaging. Dvi's release is slated for 1990 or later.
Compact disk-erasable magneto optic (cd-emo)
Combines optic and magnetic technologies in a format that is expected to be easily erasable and
reusable for 10 years. Like worm, emo requires a drive head with separate read and write lasers.
In writing, heat from the laser works in conjunction with a change in magnetic polarity to change
the shape of the pit. The erasable disk should also appear within two years.
2.1.6 Recognition of file formats and internal buffers:
Recognition of file formats: -
File format identification is the process of figuring out the format of a sequence of bytes.
Operating systems typically do this by file extension or by embedded mime information.
Forensic applications need to identify file types by content.
Methodology of the proposed method in file formats
The proposed methodology uses computational intelligence techniques in order to identify the
file type and to reveal the correct type if the file is altered. It is a three stage process involving
feature extraction, feature selection and classification, as illustrated in fig. 1. Initially all files
from the dataset are loaded and the features are extracted. Afterwards, feature selection is
accomplished using a genetic algorithm and finally a neural network performs the classification.

Byte frequency distribution (bfd) is used as a feature extraction method. In order to create the
bfd, the number of occurrences of each byte value in an input file is counted and an array with
elements from 0 to 255 is created. Then each element of the array is normalized by dividing with
the maximum occurrence. The final result is a file containing 256 features for each instance. The
next stage is feature selection, in order to decrease the number of features. Feature selection is
the procedure of finding and selecting the minimum number of the most informative relevant
features. As a search method a genetic algorithm was used. The idea of using a genetic
algorithm, for feature extraction is not new, since they can provide candidate solutions. Each
candidate solution (chromosome) is represented by a binary feature vector of dimension 256,
where zero (0) indicates that the respective feature is not selected, and one (1) indicates that the
feature is selected. The score of each candidate solution is evaluated by a fitness function. As a
fitness function the correlation based feature selection (cfs) algorithm is utilized. This algorithm
evaluates the candidate solutions from the genetic algorithm and choses those which include
features highly associated to the file type category and low correlated with each other, by
calculating each candidate’s solution merit. Let s be a candidate solution consisting of k features.
The merit of each candidate solution is calculated as shown in eq. 1.

Cfs stops when five consecutive fully expanded candidate solutions show no improvement. The
utilization of the genetic algorithm as a search method and cfs as an evaluator led to the
reduction of the 256 extracted features to 44.
The third and final stage is classification, performed with a one hidden layer neural network
using the back propagation algorithm. A neural network with one hidden layer was also used by
harris in order to identify file types. Initially, the data are separated into a training set (70 %) and
a test set (30 %). Furthermore, in order to estimate the accuracy of classification during the
training phase a stratified 10 fold cross validation is used [20]. Subsequently, unseen instances
from all categories are presented to the model for evaluation.

Internal buffers:-

The buffer is an area in the main memory used to store or hold the data temporarily. In other

words, buffer temporarily stores data transmitted from one place to another, either between two
devices or an application. The act of storing data temporarily in the buffer is called buffering.

A buffer may be used when moving data between processes within a computer. Buffers can be
implemented in a fixed memory location in hardware or by using a virtual data buffer in
software, pointing at a location in the physical memory. In all cases, the data in a data buffer are
stored on a physical storage medium.

Most buffers are implemented in software, which typically uses the faster ram to store temporary
data due to the much faster access time than hard disk drives. Buffers are typically used when
there is a difference between the rate of received data and the rate of processed data, for
example, in a printer spooler or online video streaming.

A buffer often adjusts timing by implementing a queue or fifo algorithm in memory,

simultaneously writing data into the queue at one rate and reading it at another rate.

PURPOSE OF BUFFERING

You face buffer during watching videos on youtube or live streams. In a video stream, a buffer
represents the amount of data required to be downloaded before the video can play to the viewer
in real-time. A buffer in a computer environment means that a set amount of data will be stored
to preload the required data before it gets used by the CPU.

Computers have many different devices that operate at varying speeds, and a buffer is needed to
act as a temporary placeholder for everything interacting. This is done to keep everything
running efficiently and without issues between all the devices, programs, and processes running
at that time. There are three reasons behind buffering of data,

1. It helps in matching speed between two devices in which the data is transmitted. For
example, a hard disk has to store the file received from the modem. As we know, the
transmission speed of a modem is slow compared to the hard disk. So, bytes coming from
the modem is accumulated in the buffer space, and when all the bytes of a file have
arrived at the buffer, the entire data is written to the hard disk in a single operation.
2. It helps the devices with different sizes of data transfer to get adapted to each other. It
helps devices to manipulate data before sending or receiving it. In computer networking,
the large message is fragmented into small fragments and sent over the network. The
fragments are accumulated in the buffer at the receiving end and reassembled to form a
complete large message.
3. It also supports copy semantics. With copy semantics, the version of data in the buffer is
guaranteed to be the version of data at the time of system call, irrespective of any
subsequent change to data in the buffer. Buffering increases the performance of the
device. It overlaps the i/o of one job with the computation of the same job.

Buffering involves working with large chunks of data in memory, so that the number of accesses
to secondary storage can be reduced.
Buffer bottleneck –
• Assume that the system has a single buffer and is performing input and output on one character
at a time alternatively.
• In this case, the sector containing the character to be read is constantly overwritten by the sector
containing spot where the character has to be written and vice versa.
• In such a case, the system needs more than one buffer • moving data to and from disk is very
slow and programs may become i/o bound.
Therefore, we need to find better strategies to avoid this problem.
Some buffering strategies –
• Multiple buffering
O Double buffering
O Buffer pooling
• Move mode and locate mode
Multiple buffering –
Reading or writing from a disk is time consuming. To utilize CPU efficiently buffers are
maintained. If two buffers are used, the CPU can be filling one buffer while the contents of the
other are being transmitted to disk. When both the tasks are finished, the roles of the buffers can
be exchanged. This method of swapping the roles of 2 buffers after each operation is called
double buffering.

Double buffering allows the os to operate on one buffer is being loaded or emptied. In
(a) The contents of system i/o buffer1 are sent to disk while i/o buffer 2 is being filled and
(b) The contents of buffer 2 are sent to disk while i/o buffer 1 is being filled.

Buffer pooling
• When system buffer is needed, it is taken from a pool of available buffers and used.
• When the system receives a request to read a certain sector or block, it searches to find if any
buffer in the block contains that sector or block. If no buffer contains it, the system finds a free
buffer from the pool and loads the sector or block into it.
Move mode and locate mode

For a program to read/write contents a file, the data from user’s data area has to move to the
system buffer (or vice versa). This movement of data takes some time. This method of moving
chunks of data from one place to another in memory, before accessing data, is called move
mode.

The move mode can be avoided in 2 ways, called locate mode.

1) the file manager can directly perform i/o operations between secondary storage and user’s data
area.
2) the file manager can locate the data from system buffer using pointers in locate mode, there is
no transfer of data b/n the system buffer & the data area.

2.1.7 Extraction of forensic artifacts:-

An artifact in a digital forensics’ investigation includes things like registry keys, files,
timestamps, and event logs – all of these are the traces we follow in digital forensic work.

Many cyber security consultants are deploying a quiet revolution as they transition from
managing the perimeter to extracting and analyzing any residue left by cyber thieves on every
endpoint device, be it a laptop, desktop, or mobile device. When you reverse engineer an
operating system, you can find “artifacts,” which convey every user and application that ever
interacted with the system. You can find these artifacts deep in the os system files, memory, file
systems, and more. You can’t clear or modify artifacts as you might do with log files.

Concerning cyber security services, artifacts can provide significant clues about any
unauthorized access by unauthorized entities. For instance, when the office of personnel
management’s systems were hacked, remote access trojan artifacts helped serve as clues about
the attackers and their malicious activities.
So, what is an artifact in cyber security? Artifacts are tracks that get left behind. You could
associate them with the footprints of the end-user or hacker. However, end-users are often
unaware that artifacts exist. Like permanent footprints, they are challenging to manipulate. As a
result, artifacts help cyber security consultants in their role of uncovering the root causes of a
data breach and the threat actors involved.

Many cyber security consultants are deploying a quiet revolution as they transition from
managing the perimeter to extracting and analyzing any residue left by cyber thieves on every
endpoint device, be it a laptop, desktop, or mobile device. When you reverse engineer an
operating system, you can find “artifacts,” which convey every user and application that ever
interacted with the system. You can find these artifacts deep in the os system files, memory, file
systems, and more. You can’t clear or modify artifacts as you might do with log files.

Concerning cyber security services, artifacts can provide significant clues about any
unauthorized access by unauthorized entities. For instance, when the office of personnel
management’s systems were hacked, remote access trojan artifacts helped serve as clues about
the attackers and their malicious activities.

So, what is an artifact in cyber security? Artifacts are tracks that get left behind. You could
associate them with the footprints of the end-user or hacker. However, end-users are often
unaware that artifacts exist. Like permanent footprints, they are challenging to manipulate. As a
result, artifacts help cyber security consultants in their role of uncovering the root causes of a
data breach and the threat actors involved.

Every investigation is unique because people are unique. Forensic artifacts in one case may not
be exist in another. Even within the same case, the storage media being analyzed will be
different, requiring different skill sets and tools. Motives are different from each other suspect, as
is each suspect’s technology skill level.

Knowing that every suspect is different from the next, that there are many ways to commit the
same crime, and that the technology used is dependent upon the choices of the suspect, take a
breath and think before going fishing in an ocean of electronic data. If your job is solely digital
forensics, where you have no interaction with victims or suspects, you need to have constant
communication with the case agent. The forensic examiner needs to know the objectives and
goals of the investigation. Already, analyzing terabytes of data is akin to searching for a needle
in a haystack of needles. Being made aware of the case details and needs of the investigator will
prevent frustration for everyone involved in the case.

Investigations, whether criminal or civil in nature, where the forensic examiner is purposely not
made aware of intimate case details will only result in a massive amount of time spent needlessly
hoping to find evidence that miraculously jumps out during an exam. In most cases, knowing the
details of an investigation will enable the forensic analyst to target specific data, in
specific areas, that may resolve the case or lead to investigative leads that will satisfy case goals.
It is up to the forensic examiner to ask just as much as it is the responsibility of the case agent (or
client) to inform the forensic examiner of important information.

How are artifacts used?

Frequently, cyber security services must include investigative activities. When assessments are
drawn, artifacts help to corroborate the findings. Moreover, artifacts can reveal evidence even
when the perpetrators proclaim innocence. Artifacts can also show the cyber criminal’s intent by
displaying their internet searches and what websites were visited. To illustrate, digital artifacts
might include the following:

 How to sell insider information

 How to cover your tracks on false insurance claims
 How much do black market medical records cost?

Usually, the root cause of a cyber-attack is never discovered, nor are the threat actors ever found.
Unfortunately, many data breaches are never solved and are often not expected to be solved.
Fortunately, today’s cyber security services come with the methods, processes, and tools to
collect artifacts and, therefore, concrete evidence and attribution.

The traces left by cyber thieves, or their artifacts, can help identify more extensive data breach
campaigns. But, cyber criminals can also carry out cyber false flags, which is a severe issue.
Cyber false flags are associated with any tactic used to misdirect attempts to determine the
hacker’s identity, movement, location, and methods. With misdirection comes misattribution.
But, with artifacts, cyber security consultants can dig a little deeper to find the cyber criminal’s
intent. While not an easy task, it is crucial. As a result, it is critical to get attribution right as a
mistake can lead to disastrous consequences.

For companies with limited resources, it is challenging to determine the right tools to search for
artifacts. It is also essential to ask the right questions and determine how reliable the conclusions
are. Moreover, today’s systems are much more complex, many it difficult for many businesses to
find relevant data without the help of a reputable vendor that offers cyber security services.

Engage cyber security experts

From vulnerability assessments to network testing, engage is an expert in every threat analysis
method. Insights, find security gaps in your current cybersecurity framework. Engage gives you
a detailed report analyzing every facet of your network, which you can forward to your it team or
management.

Artifacts aren’t sitting out on the open, readily available for any end-user to find. You need to
partner with cyber security experts who have the right tools and knowledge about where to look,
how to interpret the artifacts, understand if cyber false flags have been deployed, and corroborate
the findings to present a reliable conclusion. If you want to increase your odds, you must partner
with a vendor who understands where and how to find artifacts. If you’re ready to learn more,
contact ssi today.

Insights:-

Find security gaps in your current cybersecurity framework. Engage gives you a detailed report
analyzing every facet of your network, which you can forward to your IT team or management.

Analytics:-
Get access to your personalized engage dashboard with detailed metrics for your security
framework. Real-time assessments predict and eliminate any risk before the risk penetrates your
system.
Protection:-
Say goodbye to off-the-shelf security products that get compromised every other day. Engage
provides you with tailored security applications that are the right fit for your business.

How do cyber forensics experts work?

1. Copying the hard drive of the system under investigation: copying or imaging the hard
drive means making a copy of the files and folders present on the hard drive. The replica of the
drive is created on another drive-by copying every bit of data on the drive from the system under
investigation.

2. Verification of the copied data: after the data is copied from the hard drive of the system
under investigation to another hard drive, the forensic experts make sure if the copied data is
exactly the same as the original data.

3. Ensuring the copied data is forensically sound: based on the operating system used in the
computer, the data written to the hard drive is in a format compatible with the operating system.
Hence the forensic experts must make sure the data while being copied from the drive of the
system under investigation into another drive is not altered in any way. That is, the data is copied
using a write-blocking device in a forensically sound manner.

4. Deleted files recovery: the files deleted by the user on the computer can be recovered by
forensic experts. The files are not deleted permanently by the computer and forensic experts
know how to recover the deleted files.

5. Finding data in free space: the operating system sees the free space in the hard drive as space
available to store the new files and folders but temporary files and files that were deleted years
ago are stored here until the time new data is written into the free space. Forensic experts search
through this free space to recreate those files.

6. Performing keyword search: forensic experts make use of software that can go through the
entire data for the given keywords and output the relevant data.

7. The technical report: the technical report must be an easy-to-understand document for

anyone irrespective of the background. It should mainly focus on what is the offense, who is the
offender and how did he commit the crime along with all the technicalities.

2.1.8 Understanding the dimensions of other latest storage devices:-

Storage capacity is no longer dependent on the physical capacity of your computer. Many
options exist to hold your files while saving storage space on your computer, phone, or tablet. If
your devices are slow and running out of space, you can offload files onto a physical storage
device. Or better yet, use the best storage technology and save your files to the cloud. 

CLOUD STORAGE
While not exactly a device, cloud storage is the newest and most versatile type of storage for
computers. “The cloud” is not one place or object, but rather a huge collection of servers housed
in data centres around the world. When you save a document to the cloud, you’re storing it on
these servers.
Because cloud storage stores everything online, it doesn’t use any of your computer’s secondary
storage, allowing you to save space. 
Cloud storage offers significantly higher storage capacities than usb flash drives and other
physical options. This saves you from having to sift through each device to find the right file.
While external hdds and ssds were once favored for their portability, they, too, fall short
compared to cloud storage. There aren’t many pocket-friendly external hard drives. While
they’re smaller and lighter than a computer’s internal storage drive, they are still tangible
devices. The cloud, on the other hand, can go with you anywhere without taking up any physical
space, and without the physical vulnerabilities of an external drive.
External storage devices were also popular as a quick solution for transferring files, but they’re
only useful if you can access each physical device. Cloud computing is thriving as many
businesses now operate remotely. It's likely that you wouldn’t mail a usb drive overseas to send a
large file to a colleague. Cloud storage acts as a bridge between remote workers, making
collaboration from afar a breeze.
If you forget to bring a hard drive containing important documents to a meeting, there’s not
much you can do other than go back and grab it. If you break or lose a hard drive altogether, it’s
unlikely you’ll ever get that data back. These risks don’t exist for cloud storage—your data
is backed up and accessible whenever and wherever you are so long as you have access to the
internet.
With dropbox, you can access any file in your account from your desktop. It’s just like storing
your files locally—only they don’t use up any of your disk space. Keeping all your files saved in
dropbox means they’re always one click away. You can access them from any device with
internet connection, and share in an instant.

ONLINE BACKUP
Cloud storage is a great solution to store your individual files and folders, but if you want a more
robust option that secures all your content, you need an online backup. Dropbox backup is
designed to remove the headaches of a broken, lost, or stolen computer by automatically backing
up a copy of your files and folders that can be quickly recovered from the cloud if needed. It is
also helpful if you ever need to set up a new computer or laptop. Instead of tracking down all of
your content from various drives or cloud accounts, backup gets your new computer up and
running in a few clicks.

EXTERNAL STORAGE DEVICES

In addition to storage media contained within a computer, there are also digital storage devices
that are external from computers. These are commonly used to expand storage capacity on a
computer that runs low on space, allow more portability, or provide easy file transfers from one
device to another.
And if you want to transfer files from external drives to the cloud, you can use external drive
backup and access your files from anywhere.

E XTERNAL HDDS AND SSDS

You can get both hdd and ssd devices as external drives. These generally offer the largest storage
capacity among external options, with external hdds offering up to 20 tb of storage and
(reasonably-priced) external ssds offering up to 8 tb of storage.
External hdds and ssds work in the exact same way that their internal counterparts do. Most
external drives can connect to any computer; they’re not tied to one device, so they’re a decent
solution for transferring files across devices.

F LASH MEMORY DEVICES

We mentioned flash memory earlier when discussing ssds. A flash memory device contains
trillions of interconnected flash memory cells that store data. These cells hold millions of
transistors that when switched on or off represent 1s and 0s in binary code, allowing a computer
to read and write information.
One of the most recognizable type of flash memory device is the usb flash drive. Also known as
a thumb drive or a memory stick, these small, portable storage devices have long been a popular
choice for extra computer storage. Before it was quick and easy to share files online, usb-flash
drives were essential for easily moving files from one device to another. However, they can only
be used on devices with a usb port. Older computers have a usb port, but newer ones may require
an adapter.
These days, a usb flash drive can hold up to 2 tb of storage. They’re more expensive per gigabyte
than an external hard drive, but they have prevailed as a simple, convenient solution for storing
and transferring smaller files.
Aside from usb drives, flash memory devices also include sd and memory cards, which you’ll
recognize as the storage medium used in digital cameras.

O PTICAL STORAGE DEVICES

Cds, dvds, and blu-ray discs are used for a lot more than playing music and videos—they also act
as storage devices. Collectively they’re known as optical storage devices or optical media.
Binary code is stored on these disks in the form of minuscule bumps along a track that spirals
outwards from the center of the disk. When the disk is in operation it spins at a constant speed,
while a laser contained within the disk drive scans the bumps on the disk. The way the laser
reflects or bounces off a bump determines whether it represents a 0 or 1 in binary.
A dvd has a tighter spiral track than a cd, allowing it to store more data despite being the same
size, and a finer red laser is used in dvd drives than cd drives. Dvds also allow dual layering to
increase their capacity further. Blu-ray took things to another level, storing data on multiple
layers with even smaller bumps that require an even finer blue laser to read them.
 Cd-rom, dvd-rom, and bd-rom refer to read-only optical storage disks. The data written on them
is permanent and cannot be removed or overwritten. This is why they can't be used as a personal
storage. Instead, they are typically used for software installation programs.
 Cd-r, dvd-r, and bd-r format disks are recordable, but cannot be overwritten. Whatever data you
save on a blank recordable disk will then be permanently stored on that disk. So, they can store
data, but they’re not quite as flexible as other storage devices.
 Cd-rw, dvd-rw, and bd-re are re-writable. This allows you can to write new data on them and
erase unwanted data from them as much as you want. They’ve been overtaken by newer
technology like flash memory, but cd-rws were once the top choice for external storage. Most
desktop computers and many laptops have a cd or dvd drive.

Cd can store up to 700 mb of data, dvd-dl can store up to 8.5 gb, and blu-ray can store between
25 and 128 gb of data.

F LOPPY DISKS

While they may be obsolete at this point, we can’t discuss storage devices without at least
mentioning the humble floppy disk, aka diskette. Floppy disks were the first widely-available
portable, removable storage devices. This is why most "save" icons look the way they do; they're
modelled after the floppy disk. They work in the same way as hard disk drives, although at a
much smaller scale. 
The storage capacity of floppy disks never exceeded 200 mb before cd-rw and flash drives
became the favoured storage media. The imac was the first personal computer released without a
floppy disk drive in 1998. From here, the over 30-year reign of the floppy disk very quickly
declined.

STORAGE IN COMPUTER SYSTEMS

A storage device is a piece of hardware that is primarily used for storing data. Every desktop
computer, laptop, tablet, and smartphone will have some kind of storage device within it. There
are also standalone, external storage drives that can you can use across devices.
Storage is not only necessary for saving files, but also for running tasks and applications. Any
file you create or save on your computer saves to your computer’s storage device. This storage
device also stores any applications and your computer operating system.
As technology has advanced over time, data storage devices have also evolved in a major way.
Nowadays, storage devices come in many shapes and sizes, and there are a few different types of
storage device that cater to different devices and functions.
A storage device is also known as a storage medium or storage media. Digital storage is
measured in megabytes (mb), gigabytes (gb), and, these days, terabytes (tb).
Some computer storage devices are able to hold information permanently while others can only
hold information temporarily. Every computer has both primary and secondary storage, with
primary storage acting as a computer’s short-term memory, and secondary as a computer’s long-
term memory.

P RIMARY STORAGE : RANDOM ACCESS MEMORY ( RAM )

Random access memory, or ram, is the primary storage of a computer.

When you’re working on a file on your computer, it will temporarily store data in your ram. Ram
allows you to perform everyday tasks like opening applications, loading webpages, editing a
document or playing games. It also allows you to jump from one task to another without losing
your progress. In essence, the larger the ram of your computer, the smoother and quicker it is for
you to multitask.
Ram is a volatile memory, meaning it cannot hold onto information once the system turns off.
For example, if you copy a block of text, restart your computer, and then attempt to paste that
block of text into a document, you’ll find that your computer has forgotten the copied text. This
is because it was only stored temporarily in your ram.
Ram makes it possible for a computer to access data in a random order, and thus reads and writes
much faster than a computer’s secondary storage.

S ECONDARY STORAGE : HARD DISK DRIVES ( HDD ) & SOLID - STATE DRIVES ( SSD )

In addition to ram, every computer also has another storage drive that’s used for storing
information on a long-term basis. This is secondary storage. Any file you create or download
saves to the computer’s secondary storage. There are two types of storage device used as
secondary storage in computers: hdd and ssd. While hdds are the more traditional of the two,
ssds are fast overtaking hdd as the preferred tech for secondary storage.
Secondary storage devices are often removable, so you can replace or upgrade your computer’s
storage, or move your storage drive to a different computer. There are notable exceptions, like
macbooks, which don’t offer removable storage.

H ARD DISK DRIVES ( HDD )

The hard disk drive (hdd) is the original hard drive. These are magnetic storage devices that have
been around since the 1950s, though they’ve evolved over time.
A hard disk drive is comprised of a stack of spinning metal disks known as platters. Each
spinning disk has trillions of tiny fragments that can be magnetized in order to represent bits (1s
and 0s in binary code). An actuator arm with a read/write head scans the spinning platters and
magnetizes fragments in order to write digital information onto the hdd, or detects magnetic
charges to read information from it.
Hdds are used for tv recorders, servers, and laptop and pc storage.
 S OLID - STATE DRIVES ( SSD )

Solid-state drives emerged far more recently, in the ‘90s. Ssds don’t rely on magnets and disks,
instead they use a type of flash memory called nand. In an ssd, semiconductors store information
by changing the electrical current of circuits contained within the drive. This means that unlike
hdds, ssds don’t require moving parts to operate.
Because of this, ssds not only work faster and smoother than hdds (hdds take longer to gather
information due to the mechanical nature of their platters and heads), they also generally last
longer than hdds (with so many intricate moving parts, hdds are vulnerable to damage and wear).
Outside of newer pcs and high-end laptops, you can find ssds in smartphones, tablets, and
sometimes video cameras.

Chapter 2
2.2 Computer basics for digital investigators:
2.2.1Computer forensic fundamentals: -
Computer forensics is the process of locating evidence found on computer hard drives and digital
storage media, and securing and preserving that evidence in a manner that allows for its use in
court.

Computers may contain evidence relevant to criminal, civil or family law cases, ranging from
email correspondence and text messages, through text and data files, through spreadsheets and
other documents.

A search for evidence can include searching for deleted files and file fragments, meta data
associated with files, as well as various history files that reflect program use and internet activity.
It will often be possible to determine when a document or file was first saved to a computer or
digital device, when it was last modified, when it was last saved, and the identity of the computer
user who last saved or modified the document.

EXAMINING DIGITALLY STORED DATA

When looking for digitally stored, it is important that an investigator abide by four basic
principles:

 Preservation of the original data: in the process of searching for and securing data held on a
computer or storage media, no changes should be made to the original data.
 Competence: the person who accesses data on a computer or digital storage media should be
competent to perform those tasks, and should be able to provide an expert explanation of all
steps taken to access the data and why those steps were taken.
 Maintain an audit trail:  the investigator searching for evidence should create and preserve a
record of how any evidence was found, with that record being of sufficient detail that an
independent third party can carry out the same steps in order to replicate the results of the
original forensic investigation.
 Supervision and control: the person who is responsible for the investigation should make
certain that the investigation is properly handled and documented, consistent with the law and
industry practices.

Ideally, data will be obtained from a device that is turned off. The forensic investigator will make
an exact copy of the information stored on the original storage medium, using tools that make no
changes to the original data. All subsequent analysis is performed from the copy.

Sometimes it's not possible to power down the computer on which the original data is stored. If
that's the case, it is necessary to make a hot copy of the data, running a program on the computer
that allows the examiner to obtain an exact copy of the data as it exists at the time the program is
run.

The process of making a hot copy requires making changes to the original data, and thus must be
handled with great care such that the forensic examiner can establish why it was necessary to
obtain the data from a device that was not shut down, that proper protocols were followed to
minimize any changes, and that the process used did not cause any changes that might have
affected the evidence recovered from the device.

The exact process for analysing data and recovering possible evidence can be case specific.

 In some situations, the process will be relatively simple, with the evidence obtained simply by
examining files found within the stored data.
 Sometimes a more in-depth analysis will recover data from files that have been deleted, even
when they're partially overwritten.

A complete forensic examination will examine all data found on the storage device, including the
remnants of deleted and partially deleted files, hidden data and data found in unallocated space
and other parts of the digital storage medium that are inaccessible during normal use.

2.2.2 Applying forensic science to computer: -

There are multiple types of computer forensics depending on the field in which digital
investigation is needed. The fields are:
 Network forensics: -
Network forensics is the study of data in motion, with special focus on gathering
evidence via a process that will support admission into court.
 Email forensics: -
 Email forensics may be a branch of digital forensic science that focuses on
investigation of emails to gather digital evidence for crimes and incidents.

 Malware forensics: -
This branch of forensics involves hacking related crimes. Here, the forensics expert
examines the malware, trojans to identify the hacker involved behind this.
 Memory forensics: -
This branch of forensics deals with collecting data from the memory (like cache, ram,
etc.) In raw and then retrieve information from that data.
 Mobile phone forensics: -
 This branch of forensics generally deals with mobile phones. They examine and analyze
data from the mobile phone.
 Database forensics: -
This branch of forensics examines and analyzes the data from databases and their related
metadata.

 Disk forensics: -
 This branch of forensics extracts data from storage media by searching modified,
active , or deleted files.
Computer forensics investigation normally follows the typical digital forensics procedure which
is the acquisition, examination, analysis, and reporting. These investigations are mostly
performed on static data (disk images) rather than live data or live systems, though in early
computer forensics days the investigators used to work on live data due to the lack of tools.
Various kinds of techniques are used in computer forensics investigation such as:
 Cross-drive analysis: cross-drive analysis (cda) is a technique that allows an investigator
to quickly identify and correlate information from multiple data sources or information
across multiple drives. Existing approaches include multi-drive correlation using text
searches, e.g., email addresses, ssns, message ids, or credit card numbers.
 Live analysis: it is used to examine the computers from within the os using various
forensics and sysadmin tools to get the information from the device. In forensic analysis,
the collection of volatile data is very important like the installed software packages,
hardware information, etc. This approach is useful in the case where the investigator is
dealing with encrypted files. If the device is still active and running when it’s handed to
the investigator, the investigator should collect all the volatile information from the
device such as user login history, which tcp and udp ports are open, what services are
currently in use, and running, etc.
 Deleted files recovery: it is a technique that is used to recover deleted files. The deleted
data can be recovered or craved out using forensic tools such as CrashPlan, OnTrack easy
recovery, wise data recovery, etc.
 Stochastic forensics: it is a method to forensically re-establish the digital activities that
have insufficient digital artifacts, thus analyzing emerging patterns resulting from the
stochastic nature of modern-day computers.
 Steganography: steganography is a technique of hiding the secret information inside or
on top of something, that something can be anything from an image to any type o file.
Computer forensics investigators can counter this by looking and comparing the hash
value of the altered file and original file, the hash value will be different for both files
even though they might appear identical on visual inspection.

2.2.3 Benefits of forensic methodology: -

1. It helps keep malicious hackers at bay

2. It helps prevent viruses

3. It is handy in information recovery

4. Identification of vulnerabilities
5. It is used to set the trends of identification which the company people, consultants and
forensic analysts are not aware of.

6. With computer forensics, a business is able to mitigate the risk of sampling. While an
organization can always use external auditors or cyber forensics professionals, this is one
benefit that it can gain using the on-board forensic team.

7. The procedure enables the team to compare relevant data collected from different sources
or symptoms. This comparison helps complete the big picture when investigating on a
cybercrime case.

8. Through investigation, the team can understand the trends related to the relevant data.
The patterns can also help understand the fluctuations. Also, the team is able to analyze
potential risk factors and false positives.

9. There are identifying trends that enable the team to gain more details about the
consultants, company personnel, and forensic accountants.

10. The reports and investigation also help the team understand the control environment. The
enterprise teams can learn about policies to identify the attributes that violate rules.

11. Training the team on board to carry out the cyber forensics also help contain network
costs.

12. The team is prepared to recommend budget-friendly system upgrades and other relevant
implementations.

13. Helps identify increased threats and security vulnerabilities.