Homework 55
Chapter 15
©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
Computer Basics for Digital Investigators
Figure 1.1
Copyright © 2011 Academic Press Inc.
©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 15.1 Diagram of the Atanasoff-Berry Computer (ABC). Image from http://www.scl.ameslab.gov/ABC/Progress.html (reproduced with permission).
Figure 1.1
Copyright © 2011 Academic Press Inc.
©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 15.2 An electrical pulse resets the CPU, which, in turn, activates the BIOS
Figure 1.1
Copyright © 2011 Academic Press Inc.
©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 15.3 Beginning of a JPEG-encoded EXIF file.
Figure 1.1
Copyright © 2011 Academic Press Inc.
©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 15.4 Magnetic patterns on a hard disk as seen through a magnetic force microscope. Peaks indicate a one (1) and troughs signify a zero (0). Image from http://www.ntmdt.ru/applicationnotes/MFM/ (reproduced with permission).
Figure 1.1
Copyright © 2011 Academic Press Inc.
©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 15.5 A depiction of platters, tracks, sectors, clusters, and heads on a computer disk.
Figure 1.1
Copyright © 2011 Academic Press Inc.
©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 15.6 Simplified depiction of disk structure with two partitions, each containing a FAT formatted volume.
Figure 1.1
Copyright © 2011 Academic Press Inc.
©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 15.7 Prior folder structure recovered from a reformatted NTFS volume.
Figure 1.1
Copyright © 2011 Academic Press Inc.
©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 15.8 Windows 95 boot sector viewed using Norton Diskedit.
Figure 1.1
Copyright © 2011 Academic Press Inc.
©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 15.9 Volume slack containing remnants of Form virus viewed using EnCase.
Figure 1.1
Copyright © 2011 Academic Press Inc.
©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 15.10 When old data are overwritten with new data, some of the old data can remain.
Figure 1.1
Copyright © 2011 Academic Press Inc.
©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.
FIGURE 15.11 A folder named “tk” contained important evidence related to a computer intrusion investigation. The “tk” folder is visible using a newer version of a digital evidence examination tool (left) but not an older version containing a bug (right). Reproduced from Casey (2005).