OnlinePCTips.com

A skilled forensics examiner should be aware of the techniques that an attacker, intruder, malicious program, computer virus, or worm is capable of utilizing. Indeed, a significant body of knowledge will be required to track down the steps taken by an adversary, piece together the puzzle of events, and successfully defend conclusions in a court of law. While not every incident investigated will be found to have been carried out by someone with the skill of an expert, automatic tools are getting more sophisticated on a daily basis and can give even a script kiddie power and capabilities that years ago did not exist.

During the commission of a crime it is quite natural, and a common human trait, to attempt to cover up, disguise, or otherwise conceal evidence of criminal activity. In some cases, hiding data is part of the master plan and helps ensure the success rate of the criminal activities. Deleting data from a hard disk can be used as a covering technique as well as a try to hide evidence.

To be successful, forensics detectives must recognize and understand these methods. Additionally, they must possess the ability to retrieve as much case related data as possible; discovering and recovering hidden and erased data. The focal points of forensic hard disk data recovery include: physical properties of a hard drive; distinguishing attributes for the FAT32, NTFS, and Ext3 file systems; techniques used to both hide and find digital data; software tools available for erasing and finding data; true data deletion; applicable regulations regarding data destruction; and digital data recovery capabilities. The subject areas are intended to provide background to the neophyte forensics practitioner or those with an interest in the field.

To learn how differences in file systems influence hard disk data concealing, erasing, and retrieval, an overview of the physical characteristics of a hard disk is essential. Particularly important is the use of magnetization, the composition of the materials used on modern disk platters, and disk layout as it relates to the organization of tracks and sectors. Disk formatting as well as the mechanism used to read and write data to the media is also meaningful background information. These data points will all be mandatory to fully grasp concepts and techniques used during investigations that a forensics inspector may be called upon to perform.

While areas of commonality exist between concealing and recovering data, individual file systems have specialties that affect operating system and software behaviors. These differences bring about variances in attainable results both for the miscreant and the investigator. Most recovery experts focus on the FAT32, NTFS, and Ext2fs file systems (arguably the most popular file systems in use today) as they relate to hiding, erasing, and recovering data. File system specifics and their structures will be used to provide additional background information as well as help in the complete understanding of the subject area.

Shortcut to important advice about the topic of traffic to website – make sure to study this web site. The times have come when proper info is really only one click of your mouse, use this opportunity.

All the data transported over an Ethernet network is carried in a packet that conforms to the standardized format. For all intents and purposes, this packet format defines Ethernet. It has remained since the early days and offers commonality across all the various Ethernet flavors.

The packet preamble is usually generated by the Ethernet hardware, which also adds the frame check sequence or checksum, a redundant series of bits that ensures data integrity during transmission. Software is responsible for putting the destination and source addresses, as well as the data that is transported in the frame’s payload.

At the start of every frame, there is the preamble, which is a series of flipping ones and zeroes that can be used by the Ethernet receiver to acquire bit synchronization. Next comes the start of frame delimiter, a series of switching ones and zeroes that ends with two consecutive ones and is used to acquire byte alignment.

The address information follows. The first part of this is the destination Ethernet address, which shows the address of the intended receiver. If this field is set to all ones, then the message is broadcast to all attached stations. The next part of address information is the source Ethernet address. This is the globally unique Ethernet address of the sending device (that is, the unique identity of the game console, workstation, router, or whatever other device initiates communication).

There are two interpretations for the next field-it can denote either message length or message type field. The reason for this duality is that the IEEE ethernet standard is slightly different from the original, proprietary spec from Xerox. The latter did not need a length field because all of the vendor protocols that used it (XNS, DECnet, IPX, and IP) had their own length fields. However, the IEEE committee needed a standard that did not depend on the good behavior of other protocols, so they substituted the two-byte type field with a two-byte length field.

The reason the two definitions of this field can coexist is that Xerox had not assigned any upper layer protocol-type values below the decimal value of 1,500. Since the maximum length of an Ethernet frame is 1,500 bytes, all possible length values can be set without any conflict or overlap. Hence, any Ethernet frame with a type/length field less than 1,500 is in IEEE format (with length defined as a value between 64 and 1,500). Any frame in which the field’s value is greater than 1,500 must follow the Xerox format (with predefined type values such as 0×800 for IP packets or 0×600 for DECnet).

The actual information sent over the network follows next in the data field. This part of the frame is where an IP packet (or any other type of data) would be carried. The data field can be up to 1,500 bytes in length-and this sets the upper limit on the amount of data that can be transported inside any one frame. There is also a minimum frame size, so the data field is padded up to 46 bytes if needed.

There is good reason for defining maximum and minimum frame sizes. If the frame is too long, it can block other users from getting fair access-other users continuously detect a potential collision and thus back off from sending. If the frame length is too short, the last bit of it can leave the sender before the first bit has arrived at the recipient, thereby making it difficult to test when the network is free for use. The shortest Ethernet frame is 6 + 6 + 2 + 46 + 4 = 64 bytes and the longest frame is 6 + 6 + 2 + 1,500 + 4 = 1,518 bytes.

The last field is a frame check sequence. This is a 32-bit cyclic redundancy check that functions on the whole frame (except for the preamble and itself). It serves to let the receiver of the frame test know whether any errors have occurred in its transmission.

Read pragmatic advice about the topic of Nanny Cams – please make sure to study the page. The times have come when proper information is truly within one click, use this opportunity.