Business Continuity Plan Essay

3315 Words14 Pages
Data Sources in Digital Forensics March 17, 2013 Joana Achiampong CSEC 650 Introduction Four sources of data that stand out for forensic investigators in most criminal investigations are files, operating systems, routers and network traffic, and social network activity. Each data source presents a variety of opportunities and challenges for investigators, meaning that the more reliable data collection and analysis activity typically involves examination of a variety of sources. Digital forensics must cover the four basic phases of activity, which include: data collection, which describes the identification and acquisition of relevant data; data examination, which includes the processing of data through the use…show more content…
One of the primary benefits of files as a data source is the ability to separate and analyze the types of files, which creates a specific signature based on the content and user (Marcella & Menendez, 2008). Data can be pulled from deleted files, slack space on a system’s hard drive, or free space, all of which provides information that can be useful to investigators. The directory location and allocation type for each file informs the data that has been collected, including a time stamp and whether tools have been used to hide the data. Each of these characteristics provides investigators easy-to-access information about a system. In addition, there are a variety of hardware tools that can be used to access data. This technology is fairly common, meaning that associated costs tend to be minimal when retrieving data from files (Purita, 2006). File examination can yield a variety of types of suspicious activity that tend to be helpful for investigators. One example is the presence of hidden evidence on file systems. This type of data can be hidden in deleted file spaces, slack spaces, and bad clusters. File space is marked as deleted when it is removed from an active directory. This data will continue to exist within a cluster of a hard disk can be identified and accessed by creating a file in Hex format and transferring the copied data. Data can also be hidden in many others ways, including by removing partitions that are created between data and by
Get Access