RAM can be examined in multiple ways. One way is to look at the method whereby information is written to and read from RAM. These are presented in sequential order from older to newer technologies:

• Extended data output dynamic random access memory (EDO DRAM): Single-cycle EDO has the ability to carry out a complete memory transaction in one clock cycle. Otherwise, each sequential RAM access within the same page takes two clock cycles instead of three, once the page has been selected.

• Burst EDO (BEDO) DRAM: An evolution of the EDO, burst EDO DRAM can process four memory addresses in one burst.

• Asynchronous dynamic random access memory (ADRAM): ADRAM is not synchronized to the CPU clock.

• Synchronous dynamic random access memory (SDRAM): SDRAM is a replacement for EDO.

• Double data rate (DDR) SDRAM: DDR SDRAM was a later development of SDRAM. DDR2, DDR3, and DDR4 are now available.

SDRAM and, more specifically, DDR3 and DDR4, are the most common forms of RAM found in PCs and laptops.

Another way to look at RAM, one that is particularly important from a forensic point of view, is to consider the volatility of the data stored. Volatility refers to how easily the data can be changed, either intentionally or unintentionally.

• Random access memory (RAM): This is what most people think of when they say memory. It is quick to write to and read from. The memory is volatile, meaning as soon as power is discontinued, the data is gone.

• Read-only memory (ROM): As the name suggests, this is not at all volatile; it cannot be changed. This is usually used for instructions embedded in chips and controls how the computer, option cards, peripherals, and other devices operate.

• Programmable ROM (PROM): PROM can be programmed only once. Data is not lost when power is removed.

• Erasable programmable ROM (EPROM): Data is not lost when power is removed. Again, this is a technique for storing instructions on chips.

• Electronically erasable programmable ROM (EEPROM): This is how the instructions in your computer’s BIOS are stored.

A forensic specialist must also understand the following storage devices. The descriptions given here are for various types of connectors. The drives themselves are the same, but the method of attaching the drive, as well as the speed and efficiency of getting data to and from the drive, differ.

• Small Computer System Interface (SCSI): This has been around for many years, and is particularly popular in high-end servers. This standard is actually fairly old—it was established in 1986. SCSI devices must have a terminator at the end of the chain of devices to work and are limited to 16 chained devices.

• Integrated Drive Electronics (IDE): This is an older standard but one that was commonly used on PCs for many years. It is obvious you are dealing with an IDE or EIDE drive if you encounter a 40-pin connector on the drive.

• Enhanced Integrated Drive Electronics (EIDE): This is an extension/enhancement of IDE.

• Parallel Advanced Technology Attachment (PATA): Parallel ATA is an enhancement of IDE. It uses either a 40-pin (like IDE) or 80-pin connector.

• Serial Advanced Technology Attachment (SATA): This is what you are most likely to find today. These devices are commonly found in workstations and many servers. The internals of the hard drive are very similar to IDE and EIDE; it is the connectivity to the computer’s motherboard that is different. Also, unlike IDE or EIDE drives, this type of drive has no jumpers to set the drive.

• Serial SCSI: This is an enhancement of SCSI. It supports up to 65,537 devices and does not require termination.

• Solid-state drives (SSDs): These are becoming more common, so it’s worthwhile to discuss them in a bit more detail. Unlike the previously discussed drive types, these are not the same basic hard drive. These drives have an entirely different construction and method of storing data. SSDs use microchips that retain data in nonvolatile memory chips and contain no moving parts. As of 2010, most SSDs use negated AND gate (NAND)-based flash memory, which retains memory even without power. Solid-state drives do not benefit from defragmentation. Any defragmentation process adds additional writes on the NAND flash, which already has a limited life cycle. High-performance flash-based SSDs generally require one-half to one-third the power of hard disk drives (HDDs); high-performance DRAM SSDs generally require as much power as HDDs, and consume power when the rest of the system is shut down.

All of these, except for solid state, refer to how the hard drive connects to the motherboard and transfers data, and do not define how information is stored on the disk. For all but solid state, the following hard drive facts apply.

HDDs record data by magnetizing ferromagnetic material directionally, to represent either a 0 or a 1 binary digit. The magnetic data is stored on platters; the platters are organized on a spindle with a read/write head reading and writing data to and from the platters. The data is organized as follows:

• A sector is the basic unit of data storage on a hard disk, which is usually 512 bytes. However, newer systems often use a 4096-byte sector size.

• A cluster is a logical grouping of sectors. Clusters can be 1 to 128 sectors in size. That means 512 bytes up to 64 kilobytes (KB). The minimum size a file can use is one cluster. If the file is less than the size of a cluster, the remaining space is simply unused.

• Sectors are, in turn, organized by tracks.

That is a basic description of most hard drives (with the exception of solid-state drives). Forensic examiners should know the following terms, which are used with all hard drives:

• Drive geometry: This term refers to the functional dimensions of a drive in terms of the number of heads, cylinders, and sectors per track.

• Slack space: This is the space between the end of a file and the end of the cluster, assuming the file does not occupy the entire cluster. This is space that can be used to hide data.

• Low-level format: This creates a structure of sectors, tracks, and clusters.

• High-level format: This is the process of setting up an empty file system on the disk and installing a boot sector. This is sometimes referred to as a quick format.

There’s a lot to know about Windows, but for now, here’s a basic overview of how it works. The heart of Windows is the Windows Registry. The Windows Registry is essentially a repository of all settings, software, and parameters for Windows. If new software is installed, the Registry is updated to indicate the new software. If the background color of the desktop is changed, the Registry is updated to indicate the new color. From this Registry, you can get all kinds of information, including the password for wireless networks and the serial numbers for all USB devices that have been connected to that computer. This is really the most important part of Windows from both a technical-support and a forensic point of view.

Windows also has other interesting places to look for forensic evidence. There are certain folders and files—the index.dat file, for instance—that are great places to find evidence. Even browser cookies and history can be useful. Given that Windows is such a common operating system, it is advisable to be very familiar with Windows.

Linux is particularly interesting from a forensic point of view. Even though it is not as widely used as Windows, it is a favorite in the security and forensics community. You will find that a lot of free forensic tools come with Linux. In fact, one specific Linux distribution called Kali Linux (formerly called BackTrack) has an extensive collection of forensic, security, and hacking tools.

Linux is a UNIX clone, developed originally by Linus Torvalds. There are now well over 100 different distributions, or variations, of Linux. However, all have some commonalities. In the Linux world, work done from the command line, called the shell in Linux, is far more important than it is in Windows.

For many years, Apple Macintosh was a complete operating system. However, beginning with OS X, the Macintosh system has been based on FreeBSD, a UNIX clone very similar to Linux. The graphical user interface is just that, an interface. The underlying operating system is a UNIX-like system.

This means that many forensic techniques you can use on Linux can also be used on Macintosh, from the shell prompt.

Computers store discrete sets of related information in files. Any document, spreadsheet, picture, video, or even program is a file. It is a very easy thing to change the extension of a file so that it looks like some other type of file. However, that will not change the file structure itself. There are tools that allow viewing of the actual file structure and the file header. This is very important from a forensic perspective. The file header gives you an accurate understanding of the file, regardless of whether the extension has been changed. A few basic facts about files are as follows:

• File headers start at the first byte of a file. This is particularly important when you practice file carving.

• In graphics file formats, the header might give information about an image’s size, resolution, number of colors, and the like.

• The Executable and Linkable Format (ELF, formerly called Extensible Linking Format) is a common standard file format for executables, object code, and shared libraries for UNIX-based systems.

• Portable Executable (PE) is used in Windows for executables and dynamic-link libraries (DLLs). PE files are derived from the earlier Common Object File Format (COFF) found on VAX/VMS, a common operating system for mainframe computers.

• Area density is the data per area of disk.

• Windows Office files have a globally unique identifier (GUID) to identify them.

Files are organized on the computer based on the file system. There are many file systems, but they can be divided into two categories. Journaling is basically the process whereby the file system keeps a record of what file transactions take place so that in the event of a hard drive crash, the files can be recovered. Journaling file systems are fault tolerant because the file system logs all changes to files, directories, or file structures. The log in which changes are recorded is referred to as the file systems journal—thus the term journaling file systems.

There are actually two types of journaling: physical and logical. With physical journaling, the system logs a copy of every block that is about to be written to the storage device, before it is written. The log also includes a checksum of those blocks, to make sure there is no error in writing the block. With logical journaling, only changes to file metadata are stored in the journal.

Here are some specific file systems:

• File Allocation Table (FAT): This is an older system, which was popular with Microsoft operating systems for many years. FAT was first implemented in Microsoft Standalone Disk BASIC. FAT stores file locations by sector in a file called the file allocation table. This table contains information about which clusters are being used by which particular files and which clusters are free to be used. The various extensions of FAT, such as FAT16 and FAT32, differ in the number of bits available for filenames.

• New Technology File System (NTFS): Microsoft eventually introduced a new file system to replace FAT. This file system is called New Technology File System (NTFS). This is the file system used by Windows NT 4 through Windows 10 as well as Server 2000 through Server 2016. One major improvement of NTFS over FAT was the increased volume sizes NTFS could support. The maximum NTFS volume size is 2⁶⁴–1 clusters. We will be discussing NTFS in more detail when we discuss Windows forensics, later in this book.

• Extended file system: This was the first file system created specifically for Linux. There have been many versions of EXT; the current version is 4. The EXT4 file system can support volumes with sizes up to 1 exabyte (10¹⁸ bytes, or 1 billion gigabytes) and files with sizes up to 16 terabytes. This is a huge file and volume size, and no current hard drives come even close to that volume size. For an administrator, one of the most exciting features of EXT4 is that it is backward compatible with EXT2 and EXT3, making it possible to mount drives that use those earlier versions of EXT.

• ReiserFS: This is a popular journaling file system, used primarily with Linux. ReiserFS was the first file system to be included with the standard Linux kernel, and first appeared in kernel version 2.4.1. Unlike some file systems, ReiserFS supported journaling from its inception, whereas EXT did not support journaling until version 3. ReiserFS is open source and was invented by Hans Reiser.

• The Berkeley Fast File System: This is also known as the UNIX file system. As its names suggest, it was developed at the University of California specifically for UNIX. Like many file systems, Berkeley uses a bitmap to track free clusters, indicating which clusters are available and which are not. Like EXT, Berkeley includes the FSCK utility. This is only one of many similarities between Berkeley and EXT. In fact, some sources consider EXT to just be a variant of the Berkeley Fast File System.

Physical ports are physical. You can touch them. Even a wireless physical port can be touched, although you must open the computer or other device to find the antenna first. The physical ports operate at OSI Layer 1, the Physical Layer. The units of information transfer are 1 and 0 bits grouped into fixed-length units called Layer 1 frames.

A MAC (Media Access Control) address is a 6-byte (or 48-bit) address used to identify a network interface card. The first three bytes identify the vendor; the second three identify the specific card. This can also be referred to as a computer’s physical address.

A MAC address is supposed to be unique, is supposed to be tied to one and only one physical port, and is not supposed to be duplicated or reused for any reason. However, this is not always the case. Duplication of MAC addresses can occur due to bad quality control or can be done intentionally for a variety of malicious reasons. The keen forensic investigator will never be fooled by duplicate MAC addresses.

Internet Protocol (IP) addresses, sometimes called logical addresses, are assigned to a computer and can be easily changed. Although IP version 6 has been available for quite some time, a majority of computers are still using IP version 4, which provides a 32-bit address. We will discuss IP version 4 and version 6 in more detail later in this book when we discuss network forensics.

Communication over a network depends on an IP address and a port number. You can think of the port as a channel. Here is a list of some common ports and their uses:

• 20 and 21, File Transfer Protocol (FTP): For transferring files between computers. Port 20 is for data; port 21 is for control.

• 22, SSH (Secure Shell) and Secure FTP: Used as secure alternates to Telnet and FTP, respectively.

• 23, Telnet: Used to remotely log on to a system. You can then use a command prompt or shell to execute commands on that system. Popular with network administrators.

• 25, Simple Mail Transfer Protocol (SMTP): Used to send email.

• 43, WhoIS: A command that queries a target IP address for information.

• 53, Domain Name Service (DNS): Translates uniform resource locators (URLs) into web addresses.

• 69, Trivial FTP (TFTP): A barebones, unauthenticated version of FTP.

• 80, Hypertext Transfer Protocol (HTTP): Displays webpages.

• 88, Kerberos authentication

• 109, Post Office Protocol version 2 (POP 2): An outdated mail protocol.

• 110, POP3: Retrieves email.

• 137, 138, and 139, NetBIOS

• 161 and 162, Simple Network Management Protocol (SNMP): Used to monitor the health of network devices.

• 179, Border Gateway Protocol (BGP): The main routing protocol for the public Internet.

• 194, Internet Relay Chat (IRC): Chat rooms.

• 220, Internet Message Access Protocol (IMAP): The most popular email protocol. Also can use port 143.

• 389, Lightweight Directory Access Protocol (LDAP): How directories, the phonebooks of networks, connect and communicate.

• 443, Hypertext Transfer Protocol Secure (HTTPS): A secure version of the web browsing protocol HTTP.

• 445: Active Directory, SMB

• 464, Kerberos: Used to change passwords.

• 465: SMTP over Secure Sockets Layer (SSL)

As the Internet grew and the number of servers and their IP addresses grew, the Domain Name System (DNS) was created to allow Internet users to type a name instead of an IP address. This level of simplification is great, but it introduces a number of potential forensic issues, including changing the mapping of a website name to an IP address permanently or temporarily, and many different forms of this can be used to redirect browsers incorrectly and befuddle forensic efforts.

In a complete, end-to-end Internet communication, it is most common that user information, such as email text, would be formatted as specified by the email protocol. A URL would then be used to find the actual IP address of the recipient. The message would be formatted per the Transmission Control Protocol (TCP) and sent with the proper TCP port number set to the IP addresses. The IP packet containing all of this would be put into a special envelope built per the protocol rules of Ethernet, which would make its way onto the actual wire, or go across the wireless or optical connection on its way through the cloud to its destination. At the destination, the process would be done in reverse and the email, or at least a part of it, would have gotten through to its destination.

You can execute some basic network utilities from a command prompt (Windows) or from a shell (UNIX/Linux). This text’s discussion executes the commands and discusses them from the Windows command-prompt perspective; however, it must be stressed that these utilities are available in all operating systems. This section covers the ipconfig, ping, and tracert utilities.

Working with ipconfig

The first thing you need to do is to get information about your own system. To accomplish this fact-finding mission, you need to get to a command prompt. In Windows XP, you do this by going to the Start menu and then selecting All Programs > Accessories > Command Prompt. For other versions of Windows, the process is identical, except the first option is called simply Programs rather than All Programs. Now you can type in ipconfig. You could input the same command in UNIX or Linux by typing in ifconfig from the shell. After typing in ipconfig—ifconfig in Linux—you should see something similar to what is shown in FIGURE 1-2.

This command gives you some information about your connection to a network or to the Internet. Most important, you find out your own IP address. The command also has the IP address for your default gateway, which is your connection to the outside world. Running the ipconfig command is a first step in determining your system’s network configuration.

You can see that this option gives you much more information. For example, ipconfig/ all gives the name of your computer, when your computer obtained its IP address, and more.

Using ping

Another commonly used command is ping, which is used to send a test packet, or echo packet, to a machine to find out if the machine is reachable and how long the packet takes to reach the machine. This useful diagnostic tool can be employed in elementary hacking techniques. The command is shown in FIGURE 1-3.

You can see in Figure 1-3 that a 32-byte echo packet was sent to the destination and returned. The TTL item means time to live. That time unit is how many intermediary steps, or hops, the packet should take to the destination before giving up. Remember that the Internet is a vast conglomerate of interconnected networks. Your packet probably won’t go straight to its destination. It will have to take several hops to get there. As with ipconfig, you can type in ping -? to find out various ways you can refine your ping.

Information can be obscured in a number of ways. Obscured information may be scrambled by encryption, hidden using steganographic software, compressed, or a proprietary format. Sometimes, cybercriminals obscure information to deter forensic examination. More often, companies use certain manipulation and storage techniques to protect business-sensitive information. Regardless of the reason for obscured data, collecting and analyzing it is difficult.

Data that has been obscured through encryption, steganography, compression, or proprietary formats can sometimes be converted with some serious detective work and the right tools. Forensic specialists often must do quite a bit of work to decrypt encrypted information. In many cases, the investigator cannot decrypt information unless the data owner provides the encryption key and algorithm. When digital evidence has been encrypted and is in use on a live system, an investigator might have to collect evidence through a live extraction process.

Every investigation is unique. Investigations are not necessarily friendly activities. Forensic specialists may have to conduct the investigation with or without the cooperation of the information owner. And the information owner may or may not be the target of the investigation. Investigations with uncooperative information owners are difficult.

Attackers may use techniques to intentionally conceal their identities, locations, and behavior. For example, perpetrators may conceal their identities by using networked connections at a library, an Internet café, or another public computer kiosk. Or, they may use encryption or anonymous services to protect themselves. The actions that perpetrators take to conceal their locations, activities, or identities are generally termed anti-forensics.

Cybercriminals are becoming better at covering their tracks as their awareness of digital forensics capabilities increases. The following are examples of anti-forensics techniques:

• Data destruction: Methods for disposing of data vary. They can be as simple as wiping the memory buffers used by a program, or they can be as complex as repeatedly overwriting a cluster of data with patterns of 1s and 0s. Digital evidence can be destroyed easily. For example, starting a computer updates timestamps and modifies files. Attaching a hard disk or USB stick modifies file system timestamps. Powering off a machine destroys volatile memory. Suspects may delete files and folders and defrag their hard drives in an attempt to overwrite evidence.

• Data hiding: Suspects often store data where an investigator is unlikely to find it. They may hide data, for example, in reserved disk sectors or as logical partitions within a defined, public partition. Or they may simply change filenames and extensions.

• Data transformation: Suspects may process information in a way that disguises its meaning. For example, they may use encryption to scramble a message based on an algorithm. Or they may use steganography to hide a message inside a larger message.

• File system alteration: Suspects often corrupt data structures and files that organize data, such as a Windows NT File System (NTFS) volume.