Forensics Analysis
Computer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal is to examine digital media in a forensically sound manner to identify, preserve, recover, analyze and present facts and opinions about the information. A common technique is recovering deleted files, as modern forensic software have tools to recover or carve out deleted data, even though operating systems do not always fully erase physical file data. The document discusses techniques used in computer forensics analysis and properties of forensic applications, including overwriting file clusters multiple times to prevent data recovery. It also notes difficulties encountered during programming, such as differences between hardware, operating systems, and compilers.
Forensics Analysis
- 1. Advisor : Assoc. Prof. Melih Kırlıdoğ Computer forensics Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information. A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data. Most operating systems and file systems do not always erase physical file data, allowing investigators to reconstruct it from the physical disk sectors. Techniques used in forensics analysis Properties of the application • Program reads the hard disk by the given address . • Program may zero down the hard drive with linux dd if=/dev/… command . • Program may show all cluster chain of any file even if the file has been recently fragmented . • Our aim in safe delete is to protect individuals’ privacy against unauthorized access. Our application finds the selected file’s cluster numbers from the FAT, then overwrites on them as many times as the user desires, for at least 3 times, 1st with zeros then FFs then with random characters, which makes it impossible to recover even with the latest and most expensive data recovery methods. • Usb flash disks are not standard in the market • When formatted in different FAT32 / FAT16 system FAT location differs dramatically • Different sizes of flash disks gave different results • Flash disks in the market are usually low quality and most of them have hidden bad sectors which made our job harder • Some bugs and minor differences in Linux / Ubuntu versions • Application gave us hard time between desktop and laptops • Different C compilers gave us different results while calculating sector / cluster numbers • Being not very familiar in Unix / Linux environment • Not many resources available in forensics programming Difficulties encountered during programming Fragmented Cluster Chain Cluster Chain on Fat 32 Prepared by Abdurrahman Aktaş Mohammad kema Al-Turk Design of the applicaiton according to fat data sturucture algorithms