Computer Systems Forensic Analysis

Applied Cryptography Robust Software Quantum Safety Machine Learning Applied to Security Analysis and Exploration of Vulnerabilities Computer Systems Forensic Analysis Reverse Engineering Identification, Authentication and Authorization Secure Execution Environments Direito da Organização e da Segurança

Computer Systems Forensic Analysis
Overview of Cybercrime
Introduction to Digital Forensics
Obtaining Evidences
Data Organization
Storage Devices
Volumes and Partitions
RAM Analysis
Mobile Forensics
Open Source INTelligence
Documentation and Reporting

Powered by GitBook

On this page

Volume Analysis

PreviousLogical addresses NextTypes of Partition Tables

Last updated 11 months ago

Procedure.

performed automatically by tools most of the time.
- except if corruption has occurred.
steps that must be performed (by software or manually):
- read partition table.
- identify the partition layout (start and end sectors).
- analyze the unallocated space – it may contain data from a previous OS.

Consistency checks

does the last partition end at the end of the parent volume?
are the partitions consecutive?
is there any overlap between partitions?
- may happen if the partition table is corrupted.

How to recover partitions.

they may have been deleted to hinder the investigation.
or the partition table may have become corrupted.
usually, partitions have a file system, so we can search for their patterns.
- FAT has the values 0x55 and 0xAA on bytes 510 and 511 of the first sector.
gpart tool tries to identify partitions based on patterns: gpart -v disco.dd
testdisk is another tool to recover partition tables.