• How much? Some cases will require that you archive the complete images and datasets used in the investigation. For some cases, such as large-scale corporate cases, complete archival is either cost-prohibitive or impossible. Work with those who are directing the case to determine how much data and which datasets need archiving for the possibility of future issues.
   • How long? How long you need to keep the archives around depends again on the case. The lawyers or executives involved in the case will have knowledge of the process of wrapping up a case and the timeline for things such as appeals. Discuss this with them and create a plan that accommodates this timeline. Destroying evidence too soon after a case concludes can have disastrous consequences.
   • How likely? Try to determine the likelihood that the case will be appealed or escalated. If it seems like an appeal is inevitable, archive as much as possible to prepare for the appeal. If it looks as though a case will be escalated, such as an internal investigation resulting in a wrongful termination suit, consider that as well. As with the previous two questions, look to counsel or the executive in charge of the case for guidance on this issue.
   Once you have answered these questions, you are ready to design an archival solution for the case. The goal is to create a time capsule, a bundle that contains archived data, the proper documentation such as process checklists, chain of custody records, and the results and findings. Place this bundle in an environment-proof storage location. The last thing you need is to lose a case because a fire ruined your evidence. Archival details are covered in Chapter 3. With all things like this, a little prevention goes a long way.
   CHAPTER 2
   COMPUTER FUNDAMENTALS
   As with any discipline, the key to employing effective computer forensics is a firm grasp and complete understanding of the fundamentals. Opposing counsel loves nothing more than to rip apart the credibility of an expert witness by playing “stump the chump” with obscure facts about storage media or operating system (OS) internals. For some, this chapter will be a crash course in the internal workings of computer technologies. For others, it will serve as a refresher course. Either way, this chapter offers a technical foundation to the rest of the book.
   Before you can effectively complete investigations on any operating system, you must understand how a hard drive stores information and how the OS uses that hard drive. In addition, more exotic technologies such as flash memory and PDA RAM have their own sets of pitfalls. If you don’t understand the fundamental concepts discussed in this chapter, you will not be able to complete a defensible investigation.
   In addition, if you are called upon to perform a deposition or testify on the witness stand, this chapter will help serve as a crib sheet for testimony. A friend of mine was once asked, while on the stand, “What type of file system do floppy disks use in MS-DOS 6.0?” by opposing counsel to try to rattle him. The answer to this question is FAT12, and because he knew his stuff, he answered correctly. Floppy disks use a file system different from that of hard drives in the old DOS scheme. With all the point-and-click forensics tools available today, it is tempting to forgo learning details like this. However, this is a perfect example of how a complete understanding of the basics can protect you while you’re under fire on the witness stand.
   We wrote this chapter to serve as a reference. The night before you are scheduled to give testimony, dust off this book and reread this chapter. It will help prepare you for what is to come.
   THE BOTTOM-UP VIEW OF A COMPUTER
   As my “Introduction to Computing Science” professor once said, the essence of modern computing is abstracting complexity. The modern computer is much like the human body. Different modules each perform simple tasks; put them together in the right way, and amazingly complex tasks can be completed. A heart pumps blood. The lungs move air around. Eyes process light to create images. These are very basic tasks that work simultaneously to sustain life. Computers work in a similar way. A processor performs operations. A hard disk stores 1s and 0s. A video card converts those 1s and 0s to signals a monitor can understand. Put them together and you get the computer and all the possibilities that go along with it. Figure 2-1 shows a modular illustration of a computer, from the application that balances your checkbook to the processor that crunches the numbers.
   It’s All Just 1s and 0s
   1s and 0s seem simple enough, but these numbers are the building blocks for every computing technology and application in existence. Known as the binary number system, they are used in conjunction with transistors to create Boolean algebraic equations. The operations that these transistors can perform are AND, OR, NOT, and various combinations of those basic operators.
   Figure 2-1 The layers of a computer
   To reduce the total number of transistors actually used, most processors today create all their operations with NAND gates as the basic building block. If you are interested in learning more, consult an elementary computer architecture book.
   Once these operations are defined, you can take the 1s and 0s and create a combinatorial network that performs conventional math functions (addition, subtraction, and so on). Figure 2-2 shows how the Boolean operations combine to add two, 1-bit numbers (what is known as a 1-bit adder).
   Figure 2-2 A 1-bit adder with a carry bit
   After you have built an adder, you can use it and the Boolean operations to perform addition, subtraction, multiplication, and division. You can also hook the adders together to add 8−, 16−, or 32-bit numbers, as most modern processors do. In the race to have the fastest benchmark numbers on the market, computer builders have added specialized operations into computers that allow them to perform certain types of operations quickly. In fact, the staggering number of transistors on modern processors is a result of the need for specialized operations. While detailed descriptions of the complete modern processor is outside the scope of this book, the following table shows the number of transistors per chip to give you an idea of the complexity of these technologies.
   Furthermore, in the past few years, we have seen the addition of multiple cores to processors. This means that instead of a single chip containing a single Pentium chip, for instance, a single “dual core” chip will contain the equivalent of two Pentium chips. The current “arms race” in processor development seems to be centering around this concept of multiple cores and the idea of getting as many as possible onto a single chip. We are now starting to see 4, 8, 16 and even 64 on a single chip.
   Learning from the Past: Giving Computers Memory
   Now that we have the ability to perform mathematical operations on numbers, we need a way to load and store the results of these operations. This is where memory comes in. Computers use two basic types of memory: volatile and nonvolatile. Volatile memory is difficult to retrieve when the computer is turned off. Examples of this type of memory are main memory (RAM, or Random Access Memory) and cache memory. Nonvolatile memory is not difficult to retrieve when the computer is turned off. This is usually the secondary memory source, such as hard disks or flash memory. Figure 2-3 shows the interaction of the various types of memory and how they move information in a computer.
   Volatile Memory
   You can think of volatile memory as a scratch pad that the computer uses when evaluating data. The most fundamental unit of this type of memory is the flip-flop, shown in Figure 2-4. As the name suggests, a flip-flop can store a 1 or a 0 while the computer is on, and the computer can flip the stored value when it needs to store a different value.
   Figure 2-3 The memory hierarchy of a computer
   If you hook together eight flip-flops, you can store an 8-bit number. In the common nomenclature, a series of these flip-flops is known as a register. By combining this with the adder described earlier, you can add two numbers and store the result for later use.
   Registers hold a very small amount of data and are used only when the computer needs to store temporary values during multiple-step operations. For larger pieces of data, a second level of 
memory must be used, and this is where RAM comes in. RAM memory is outside the processor and can hold a very large amount of data while the computer is on. The downside to this type of memory, however, is the delay time the processor incurs when loading and storing data in RAM. Because of this lag time and the adverse effects on performance, most modern processors have what is known as a cache, which you can think of as an intermediate step between the registers and the main memory. It’s slower than the registers but not nearly as slow as accessing main memory.
   Figure 2-4 Logical diagram of a flip-flop
   Nonvolatile Memory
   Nonvolatile memory is used when data needs to be stored even if the computer is turned off. The most common type of media used in nonvolatile memory is magnetic media, such as a hard disk. The upside to magnetic media is that it can be purchased cheaply in comparison to volatile memory. The downside, however, is that it is incredibly slow in comparison. Magnetic media actually has moving parts: the typical hard drive has platters that spin around with a tiny magnetic head changing charges on the platter from positive to negative, which represent the binary 1s and 0s. Even though today’s hard drives have been able to achieve mind-blowing speed, their inherent design prevents them from ever being as fast as volatile memory by an order of magnitude. Because of this speed difference, computers are designed to minimize the number of times that something has to be written out to this secondary memory.
   However, since nonvolatile memory is so much cheaper than RAM, secondary memory is also often used as swap space for the processor. This presents a unique opportunity for the investigator, because you can go back through the hard drive, find the swap file, and take apart the memory of the computer to locate evidence that would otherwise be destroyed or obfuscated. The specific way to do this varies from operating system to operating system and is discussed in more detail in Chapters 6, 7, and 8. In fact, most of your time as an investigator will be spent going through nonvolatile memory. Due to the timing of forensic investigations (you get the computers days, weeks, and sometimes months after the fact), very rarely will you have the opportunity to access the RAM in a form that is usable during an investigation. The different types of memory that a computer can use are detailed later in this chapter in “Types of Media”; it’s well worth your time to learn each type completely.
   Basic Input and Output System (BIOS)
   Now that we have created a processor and memory for the processor to use, we need to create a way for software to talk to the hardware and work with other peripherals. The BIOS provides simple methods for software to interact with hardware. When you first turn on the computer, the BIOS runs a series of self checks (called the Power On Self Test, or POST) and then turns control over to the operating system. This transition occurs by way of what is called the Master Boot Record (MBR) on the hard drive, a topic that will be discussed in detail in Part II. An effective BIOS manages the allocation of resources (via interrupt requests, or IRQs, and direct memory access, or DMA) to the peripherals and handles basic security measures. Some of the more modern BIOS features are power management and digital rights management (DRM). The BIOS provides only raw access to the resources; it does nothing to manage or allocate those resources for performance. Its function is strictly to act as the interface between the OS and the hardware.
   The Operating System
   The OS is by far the most complex piece of software on any given computer. It acts as the translation layer between the end-user applications and the BIOS or hardware. The OS manages the users, the memory, the applications, and the processor time on the computer. A well-written OS can breathe new life into an old computer, same as a poorly written one can bog down even the fastest of machines. As an investigator, I recommend that you spend time learning the mainstream OSs inside and out.
   Learning about an OS is not a trivial task. Windows XP has more than 5 million lines of code. The file system, the swap space, and the memory map are all artifacts of the OS installed on the machine. We devote Chapters 6, 7, and 8 to discussions of various operating systems.
   The Applications
   Applications are why you use a computer in the first place. They balance our checkbooks, allow us to browse the Internet, or entertain us with games, movies, or other activities. From a forensics perspective, it is beneficial for you to become familiar with the ins and outs of a few select applications. Understanding the way that office applications create and delete documents, how e-mail programs work, and how web browsers access the Internet will help you track down evidence that you can use in your investigation. Chapters 11 and 12 are dedicated to various applications that you will see again and again in your time as an investigator.
   TYPES OF MEDIA
   As discussed in the preceding section, investigations will focus primarily on the secondary memory area—hard disks, CD-ROMs, tape backups, and most other types of commonly used storage. Each of these types of media has its own nuances and pitfalls in an investigation. Let’s look at the three most common types of media—magnetic, optical, and RAM—in detail.
   If you are conducting an investigation in a legal capacity (as an action in a lawsuit, in a formal third-party investigation, and so on), it is vital that you not only understand the different types of media but also the laws that govern what you can ask for and what you can’t. We discuss this topic more in Chapters 14 and 15.
   Magnetic Media
   You will spend the majority of your time dealing with magnetic media, including hard disks, floppy disks, and tape backups. Zip disks and other such large-capacity portable disks are just variations on the structure of the hard disk or floppy disk. The theory for all of these types is the same: Some kind of metal or magnetic surface holds a series of positive or negative magnetic charges. This series represents 1s or 0s, depending on the charge of the magnet. When data is changed on the media, the magnetic charge is changed. This means several things: First, there are moving parts, and moving parts are susceptible to breaking. Always have backups. Second, the media is open to being affected by external magnets. This means that your forensic lab procedures and storage policies must consider this, and you must be able to prove that this hasn’t happened when dealing in a court of law.
   Hard Disk Drives
   If you learn the complete architecture for just one media type, make it the hard drive. Ninety percent of an investigator’s time will be spent imaging, searching, or wiping hard drives, and none of these are as easy as they might seem. How do you know the image of a hard drive is an exact duplicate? What is slack space? What is your wiping procedure? Until you can answer these questions and fully justify your answers, don’t even attempt an investigation. Let’s break down a hard drive’s components and how those components interact.
   Physical Parts of the Hard Drive
   Before we look at how data is stored on a hard drive, we need to talk a bit about the physical components of the drive. Hard drives are marvels of modern engineering. Imagine a plane traveling Mach 1 with an altitude of about 2 feet above the runway. This is the rough equivalent to what a hard drive does every time it spins up and reads or writes data. Figure 2-5 shows the parts of a hard drive.
   Platters Platters are the circular discs that actually store the data. A single hard drive will include multiple platters often made of some aluminum alloy, but newer drives use a glass or ceramic material. These platters are covered with a magnetic substrate so that they can hold a magnetic charge. Hard drive failures rarely occur within the platters. In fact, nine times out of ten, if you send a drive off to a data recovery firm, it will take the drive apart and mount the platters in a new drive assembly to retrieve the data from them.
   Figure 2-5 The parts of a hard drive
   Read and Write Heads Tiny magnetic read and write heads change and read the magnetic state on the platters. Think of these in the same way you think of a needle on an old LP record player or a laser on a CD-ROM player. In this case, the head is a copper coil that has charges pushed through it. Th
is creates a magnetic field that can either read or write data. Because there are multiple platters, multiple heads are used. Typically, to optimize the usage of the platter, both the top and bottom of the platter’s surface are used. For performance purposes and for better reliability, all the heads are hooked together and move in unison. This way, data can be read simultaneously from multiple platters. These are so compactly designed that they must be assembled in a clean room, because even a single stray particle can disrupt the head alignment.
   Head Actuator For many years, this was a major source of failure for hard drives. The two types of head actuators are stepper motor and voice coil. Old hard drives (less than 100MB) used stepper motor actuators, which were nothing short of terrible: if you didn’t park the heads before moving the drive, you broke it; if you didn’t recalibrate the disk by formatting it after you cleared it, you broke the drive; if you used the hard drive too much, you broke it. Look at the thing wrong and you broke it! Over time, these actuators would “forget” where they were on the hard disk and you’d lose all your data. On the opposite side of the equation are the voice coil actuators. These correct themselves if they get lost on the platter using grey code. In addition, they don’t have to be parked before a hard drive is spun down.
   Grey codes are an alternative binary numbering system in which only 1 bit changes from one number to the next. Grey codes are particularly useful in mechanical encoders, since a slight change in position affects only 1 bit. Using a typical binary code, up to n bits could change, and slight misalignments between reading elements could cause wildly incorrect readings.
   
 
 Hacking Exposed Page 5