2.2 Digital Crime Scene Investigation Process

  1. There are THREE basic Phases
    1. System Preservation Phase
    2. Evidence Searching Phase
    3. Event Reconstruction Phase
###
Consider a traditional crime scene where someone got shot by bullets.
Will you allow people to walk over the scene? No because it damages the scene.
Will you stop working only after securing the scene? No, you will Search for useful evidence.
Will you stop after finding evidence ? No , you will try to reconstruct the event, guessing more details etc.
###

There are two types of investigations
  1. Dead investigation
    1. running trusted application in trusted OS.
    2. attaching seized pendrive to investigation workstation.
  2. Live investigation
    1. OS or other resources of the system are being investigated.
    2. investigating ongoing attack on the working server.
 
at

2.3.2 Essential & Non-essential data

  • 1.1.3.3 Types of Sector Addresses
    Physical address is address of the sector with respect to start of physical media. One way of addressing was to mentioning plate number , tr...
  • 1.1.2.1 CPU & Machine Codes
    CPU Central processing unit or processor. Can process assigned job. but cant create job for itself. OS assigns job to CPU. CPU picks up inst...
  • 1.1.1.3 Strings and Encoding
    How computer stores sentence ? Computer does not know characters and symbols. Computer has a unique numerical value for a symbol. Computer k...