• abstraction

• address variable

• admissible

• bitmap

• boot blocks

• check value

• checksum

• civil complaint

• cluster

• cluster chain

• concurrency problem

• criminal complaint

• cylinder

• device independence

• digital forensics

• disk drive

• dismount

• drive controller

• due diligence

• evidence log

• extent

• file scavenging

• fragmentation

• hardware block diagram

• header

• high-level format

• incident

• index variable

• inode

• low-level format

• mediation

• modularity

• Moore’s law

• mount

• partition

• platter

• pointer variable

• private action

• random access

• raw I/O

• read/write head

• remediation

• sector

• sequential access

• software layering

• track

• undelete

• APFS—Apple File System

• AT&T—American Telephone and Telegraph

• B (uppercase)—suffix indicating storage in bytes

• b (lowercase)—suffix indicating storage in bits

• B-trees—balanced trees

• BPB—BIOS parameter block

• BSD—Berkeley Software Distribution

• CRC—cyclic redundancy check

• ECC—error correcting code

• EDC—error detecting code

• FAT—file allocation table

• FFS—Fast File System

• GPS—Global Positioning System

• HFS + (HFS plus)—hierarchical file system plus

• MB—megabyte

• MFT—master file table

• MMC—multimedia card

• NTFS—NT file system

• PC—personal computer

• RPM—revolutions per minute

• SD—secure digital

• SDHC—secure digital high capacity

• SDXC—secure digital extended capacity

• UFS—Unix file system

*Refer to Table 5.1 for large number abbreviations.

1. R1.     Explain the four general tasks that may play a role in recovering from a security incident.

2. R2.     Describe the basic requirements evidence must meet to be used in a legal proceeding.

3. R3.     List and explain the three general categories of legal systems used in the world. Give an example of each.

4. R4.     List and describe four ways of resolving a security incident that could rise to the level of a legal dispute.

5. R5.     Explain the concept of due diligence.

6. R6.     Does an employer in the United States have an unconditional right to search employee desks or lockers on company premises? Why or why not? Is there a way by which the employer can legally perform such searches?

7. R7.     Describe the three steps an investigator performs when collecting forensic evidence.

8. R8.     Is it better to perform a clean “shutdown” or simply pull the plug when collecting a computer as evidence?

9. R9.     Explain how an investigator can examine a hard drive and still convince a court that the examination is based on the information residing on the drive when the suspect last had possession of it.

10. R10.   Draw a diagram showing the basic components of a hard drive and its controller.

11. R11.   Explain the difference between “high-level” and “low-level” disk formatting. When we perform a “quick format,” what formatting do we perform?

12. R12.   Describe two different ways of hiding data on a hard drive using partitions.

13. R13.   What is the difference between 1 GB of storage and 1 GiB of storage? What is the difference between 1 KB of storage and 1 Kb of storage?

14. R14.   Explain how to quickly convert a decimal number to a power of two by converting between decimal and binary exponents.

15. R15.   What is Moore’s law?

16. R16.   Describe how to recover a deleted FAT file and its contents.

17. R17.   Summarize shortcomings of the FAT file system compared to other modern file systems.

18. R18.   List the three major hard drive storage problems addressed by file systems.

19. R19.   Outline major similarities and differences between FAT, NTFS, Unix, and HFS+ file systems.

20. R20.   Identify which mobile device vendors use which file systems.

21. R21.   Summarize the three strategies by which the operating system provides input/output services and a file system.

22. R22.   Explain the relationship between device independence and device drivers.

23. R23.   For each step in the example I/O operation described in Section 5.7.2, indicate which layer from Figure 5.18 performs the step.

24. R24.   Indicate which layers from Figure 5.18 enforce which security measures in the I/O and file systems.

1. E1.     Find the detailed technical specifications for a commercial hard drive. The specifications will identify a precise minimum or total amount of storage provided on the hard drive. Using this information, report the following:

   1. The hard drive’s advertised size in bytes

   2. The exact, or minimum, number of bytes of storage actually provided by the hard drive

   3. The number of bytes of the power of two, or small multiple of a power of two, that is closest to the hard drive’s advertised size

2. E2.     Search the internet for a description of a court action whose decision affected how computer equipment and information may be used as evidence. Describe the legal problem and the court’s decision.

3. E3.     Unix has a mechanism called a hard link by which it creates additional directory entries that all point to the same file. This is easy to manage because most information resides in the file’s inode, including a count of the number of links. Bob is trying to create a hard link to a file in a FAT directory by duplicating the file’s existing directory entry and giving it a new name. How well will existing file read, write, and delete operations work?

   1. Which operations work correctly if a FAT file has two directory entries?

   2. What operations won’t work correctly? How do those operations fail to work correctly?

The following questions involve a forensic examination of a FAT file system. Find a “dump” utility and use it to examine the contents of a FAT file system. First, find an unused removable device, like a USB flash drive. Reformat it. Use online descriptions of the FAT format to locate the FAT and the file directories using the dump utility. Perform these exercises, print the results using the dump utility. Use a marker to highlight the results.

1. E4.     Create a text file. Locate the file’s directory entry and print it out. Locate the first cluster in the file and print it out.

2. E5.     Create a subdirectory and place two text files in it. Locate the subdirectory you created. Print out the subdirectory.

3. E6.     Delete a file. Locate the file’s directory entry and print it out.

4. E7.     TABLE 5.5 contains the partition table from the MBR for the volume in Figure 5.9. The following is a list of sectors stored in different partitions. For each sector and partition, calculate the absolute address of the sector. (Hint: Use a spreadsheet.)

   1. Partition 0, sector 1

   2. Partition 0, sector 8184

   3. Partition 1, sector 2040

   4. Partition 1, sector 10,000

   5. Partition 2, sector 1

   6. Partition 2, sector 4088

   TABLE 5.5 Partition Table for the Drive in Figure 5.9

   The following questions involve TABLE 5.6, which contains part of a file allocation table. The “Cluster” column contains cluster numbers; the “Pointer” column contains the corresponding FAT entry.

   TABLE 5.6 Part of a File Allocation Table

   The FAT entry contains one of the following: 0 to indicate a free cluster, 9999 to indicate the end of file, and any value in between indicates the next cluster in the file. The following directory entries apply to these FAT entries:

   • ■   Name: F1, Starting Cluster: 100

   • ■   Name: F2, Starting Cluster: 106

   • ■   Name: F3, Starting Cluster: 120

   • ■   Name: F4, Starting Cluster: 126

5. E8.     For each file named in the directory entries, give the number of clusters in the file.

6. E9.     We want to read individual bytes from these files. Clusters on this volume contain 4096 bytes each. For each of the following file names and byte offsets, identify the cluster that contains that byte.

   1. File F1, offset 1000

   2. File F2, offset 10,000

   3. File F2, offset 20,000

   4. File F3, offset 1000

   5. File F4, offset 10,000

   6. File F4, offset 20,000

7. E10.   We are writing additional data to file F1 and need to add another cluster to the end of the file. Locate a cluster in the FAT to add to the file. List the specific changes to make to the FAT to add the sector to F1.

8. E11.   As in Exercise E10, we are writing data to file F2 and must add another cluster. List the specific changes to make to the FAT to add the cluster.

9. E12.   We are deleting File F3. List the specific changes made to the FAT to delete F3.

10. E13.   The engineering manager has decreed that we must discard the FAT and describe the disk contents in terms of extents. Use the FAT and file entries as they appear in Table 5.6.

    1. List the clusters in files F1 and F2 using extents.

    2. List the clusters in files F3 and F4 using extents.

    3. List all free clusters appearing in Table 5.6 using extents.

The following exercises ask about files of yours that you have not used in a while and that you may safely modify. You should use “About” and “Info” commands, and look at folder or directory listings to collect this information. Depending on the file system, you may be able to retrieve a creation date, reference date, and modification date.

1. E14.   Answer the following questions about a file stored on your computer’s main hard drive: the hard drive that contains your operating system.

   1. What type of device is this: hard drive, solid state, removable, flash?

   2. What file system does the drive use? If FAT, try to determine if it is FAT 12, FAT 16, or FAT 32.

   3. Get information about the file: What dates can you retrieve and what do the dates say?

   4. Open the file with an editor or other program. Look at the file but do not change it. Close the file. Now, collect information about the file and report which dates, if any, have changed.

   5. Open the file again and make a minor, nondamaging change to it (e.g., rotate an image left, then right). Save the file without changing the name. Now, collect the information about the file and report which dates, if any, have changed.

2. E15.   Answer these questions about a file of yours stored on a removable drive or USB flash memory.

   1. What type of device is this: hard drive, solid state, flash?

   2. What file system does the drive use? If FAT, try to determine if it is FAT 12, FAT 16, or FAT 32.

   3. Get information about the file: What dates can you retrieve and what do the dates say?

   4. Open the file with an editor or other program. Look at the file but do not change it. Close the file. Now, collect information about the file and report which dates, if any, have changed.

   5. Open the file again and make a minor, nondamaging change to it (e.g., rotate an image). Save the file without changing the name. Now, collect the information about the file and report which dates, if any, have changed.

3. E16.   Find a discarded hard drive to disassemble. As you disassemble it, keep a list of every part removed or cut. Remove the cover to display the drive mechanism. Identify the major parts.