Posts tagged with: digital forensic
Jul 29, 2013    |      0 comments

Digital Forensic ~ Basic Linux Forensic Tools

Here are some basic linux forensic tools that usually used by digital forensic analyzer to perform an analysis on disk images.

dd – a tool used to clone a file, disk partition, or even an entire disk content. This is a bit-by-bit cloning tools, so the cloned file or device is 100% identical to the original one as long as the cloned file or device is not modified.

sfdisk and fdisk – tools used to see the disk structure in the computer.

grep– used with the other linux command such as ls or more, the output of the command will only display the lines that match with the pattern given by this command.

looping device – allows us to mount an image without having to rewrite the image to a disk.

md5sum and sha1sum – creating a md5 or sha1 hash of Continue Reading

May 17, 2013    |      0 comments

MP3 File Structure

File structure is something that make up a file. File is the smaller form of a filesystem. A file can’t be called “file” when it is not structured. Structure of a file is important to make that file readable because when it is not properly structurized I bet the system won’t be able to read it. And I think there’s also a standarization of a file structure, so a pdf file named A will have the same structure as the B,C,D or the other pdf files. The file structure of each filetype is also different. An .avi files will have different file structure with a .doc file.
In this post I’ll try to explain about the structure of an mp3 file.Β Β  πŸ™‚

Continue Reading

May 13, 2013    |      0 comments

MBR ~ Master Boot Record

Computer Forensic mostly dealing with a storage device like Flashdisk, Harddisk, CD, DVD, RAM, etc. There are two type of storage, volatile and non volatile. Dealing with volatile storage device like RAM is more difficult because when the Computer is turned off, the data inside will disappear and some evidence maybe would lost too. Dealing with non volatile memory like Flashdisk or Harddisk isn’t easy too. False method will make an evidence found on the memory won’t be valid anymore.

In the Harddisk, there is something called MBR or Master Boot Record. MBR contain a series of code which make the harddisk can boot the system. IBM is the one who make it well known by the world. Usually, MBR located in the first sector of the Harddisk. Some of MBR task are :
1. Record the partition table on the system, which contains the details of the partition of a storage device on the system.
2. Bootstrapping an operating system.
3. Identify individual storage media.

Partition table that exist in the MBR describe where the partition are put in the Harddisk. This scheme only availabe in the Intel x86 system and integrated in the BIOS of the system. This type of partitioning scheme make the partition divided into three types : Continue Reading

May 13, 2013    |      0 comments

Slack Space

Again, in this post I’ll try to explain a thing that related to Computer Digital Forensic that is Slack Space.

In a Storage Device when a file is saved, it is stored in the beginning of a cluster. Cluster itself is like a directory in the storage. It consist of some sectors. Imagine a House fully contained with 50 cupboards that have 4 drawers each..
Get it? πŸ˜€
Lets say that this house is the harddisk, the cupboards is the cluster, while the drawers on each cupboard is the sector. So, we can say that this harddisk have 50 cluster and 4 sector on each cluster.
cmiiw.. πŸ˜›

Continue Reading

May 12, 2013    |       2 comments

What is Unallocated Space?


When you’re installing an operating system on a new harddisk, do you notice that the installer said that our disk status is Unallocated? Or when you want to divide a harddisk into two or more partition, after the split the newly created partition also in the “Unallocated” status. So what is this unallocated called thing?

Unallocated space, or in the other word “free space”, is logical space on a hard drive that can be used by the system to put files on. Unallocated space is the opposite of “allocated” space, which means a place on the hard drive where there’s already files written or stored in it. Unallocated space is different from Slack space. The difference, in the unallocated space the system can put files in it, where in the slack space the system can’t put any files in it. Simple right?

Here’s an example. If we put a file into certain space on the hard drive, that part of the hard drive is now in allocated status because the file is using its space. When a space is in allocated status, no other files can be written to that space. If the file we stored is deleted then that space of the hard drive is now in the unallocated status. This means that we can put some files in it. Continue Reading

Pages:12